`osctrl-admin` has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Description
osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user. An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload. The issue is fixed in osctrl v0.5.0. As a workaround, restrict query-level permissions to trusted users, monitor query list for suspicious payloads, and/or review osctrl user accounts for unauthorized administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS in osctrl-admin lets query-level users inject JavaScript via on-demand queries, leading to session hijacking and potential admin account compromise.
Overview
A stored Cross-Site Scripting (XSS) vulnerability in osctrl, an osquery management solution, allows an authenticated user with query-level permissions to inject arbitrary JavaScript into the query parameter of an on-demand query. The payload is stored server-side and executes in the browser of any user, including administrators, who views the on-demand query list page. This issue affects all versions prior to v0.5.0 [2][4].
Exploitation
An attacker with the lowest privilege tier (query-level permissions) can craft an on-demand query containing malicious JavaScript. The payload is stored and triggers when any user visits the query list interface. No additional authentication or network position is required beyond having query permissions. The stored nature of the XSS means the payload persists and affects users across sessions [2][4].
Impact
The injected JavaScript executes in the context of the victim's session, enabling CSRF token extraction. An attacker can then perform actions as the logged-in user, including privilege escalation. If an administrator views the malicious query list, a full compromise of the osctrl platform is possible, allowing unauthorized management of osquery endpoints and sensitive data access [2][4].
Mitigation
The vulnerability is patched in osctrl v0.5.0. Users should upgrade immediately. As a workaround, restrict query-level permissions to trusted users, monitor the query list for suspicious payloads, and review user accounts for unauthorized administrators [2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jmpsec/osctrlGo | < 0.5.0 | 0.5.0 |
Affected products
2- Range: <0.5.0
- jmpsec/osctrlv5Range: < 0.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4rv8-5cmm-2r22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28280ghsaADVISORY
- github.com/jmpsec/osctrl/pull/778ghsax_refsource_MISCWEB
- github.com/jmpsec/osctrl/pull/780ghsax_refsource_MISCWEB
- github.com/jmpsec/osctrl/security/advisories/GHSA-4rv8-5cmm-2r22ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.