Description

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.

INFO

Published Date :

2026-05-04T17:15:59.239Z

Last Modified :

2026-05-04T19:47:16.828Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42086 vulnerability.

Vendors Products
Openc3
  • Cosmos
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42086.

URL Resource
https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact