CVE-2026-34416
Description
OSCAL-GUI has a reflected XSS vulnerability in the project parameter, allowing unauthenticated attackers to execute JavaScript in a victim's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OSCAL-GUI has a reflected XSS vulnerability in the project parameter, allowing unauthenticated attackers to execute JavaScript in a victim's browser.
Vulnerability
OSCAL-GUI contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability exists in the oscal.php and oscal-forms.php files, specifically when processing the project request parameter. The software was tested on its latest commit as of June 2026 [1]. The affected project was archived on March 27, 2026 [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing unsanitized input in the project parameter. This input can break out of the JavaScript string and HTML attribute context within the body onload event handler. When a victim visits this crafted URL, arbitrary JavaScript is executed in their browser [1, 2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to the disclosure of sensitive information, manipulation of the user interface, or potentially further attacks depending on the script executed [2].
Mitigation
This vulnerability affects OSCAL-GUI versions up to commit c989c4b. The affected project was archived on March 27, 2026, and is no longer actively maintained or patched. No specific mitigation or fixed version information is available in the provided references [2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application reflects unsanitized user input from the 'project' parameter into the 'onload' event handler of the body tag."
Attack vector
An unauthenticated attacker can craft a malicious URL targeting the `oscal.php` page. By injecting specially crafted input into the `project` parameter, the attacker can break out of the JavaScript string and HTML attribute context. When a victim visits this malicious URL, arbitrary JavaScript is executed in their browser via the `onload` event handler [ref_id=1]. The payload is reflected into the page source, leading to script execution.
Affected code
The vulnerability exists in `oscal.php` and is related to the inclusion of `oscal-begin.php`. Specifically, user input from the `project` parameter in `oscal.php` is processed in `oscal-begin.php` on line 40, where it is concatenated into the `$script` variable. This variable is then directly injected into the `onload` attribute of the `<body>` tag on line 15 of `oscal.php` [ref_id=1].
What the fix does
The advisory does not provide information about a patch or specific remediation steps. Therefore, the exact fix cannot be determined. Users are advised to consult the vendor for the latest security updates and mitigation strategies.
Preconditions
- authThe attacker does not require any authentication.
- networkThe attacker can reach the vulnerable web server over the network.
- inputThe attacker must provide a malicious payload in the 'project' URL parameter.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.