CVE-2026-34417
Description
OSCAL-GUI has a reflected XSS vulnerability in oscal-forms.php allowing unauthenticated attackers to execute JavaScript via the project request parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OSCAL-GUI has a reflected XSS vulnerability in oscal-forms.php allowing unauthenticated attackers to execute JavaScript via the project request parameter.
Vulnerability
OSCAL-GUI contains a reflected cross-site scripting vulnerability in oscal-forms.php that is triggered by the project request parameter. The parameter's value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php. When a supplied project ID is not found, the unsanitized value is concatenated into an error message and reflected into the HTML response body without encoding [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by injecting malicious JavaScript content through the project request parameter in oscal-forms.php. The attacker needs to control the value of this parameter, which is then reflected in the error message displayed to the victim's browser [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or other malicious actions within the scope of the victim's browser session [2].
Mitigation
Not yet disclosed in the available references. The tested version was the latest commit as of June 2026 [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application reflects unsanitized user input from the 'project' parameter into the HTML response."
Attack vector
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that includes a JavaScript payload within the 'project' parameter of oscal-forms.php. The application takes the user-supplied value from the 'project' parameter, URL-decodes it, and then directly embeds it into an error message that is reflected in the HTML response body without proper encoding. This allows arbitrary JavaScript to be executed in the victim's browser when they visit the crafted URL [ref_id=1].
Affected code
The vulnerability exists in oscal-forms.php, which includes oscal-functions.php. In oscal-functions.php, the 'project' parameter from the GET request is URL-decoded and assigned to the $project_id variable without sanitization. This unsanitized $project_id is then concatenated into an error message via the Messages() function and reflected in the HTML response [ref_id=1].
What the fix does
The patch addresses the vulnerability by sanitizing the user-supplied input before it is reflected in the HTML response. Specifically, the code now properly encodes the project ID when it is used in the error message, preventing the injection of malicious JavaScript. This ensures that any special characters within the project ID are treated as literal characters rather than executable code, thus mitigating the reflected cross-site scripting vulnerability [ref_id=1].
Preconditions
- authThe attacker does not require any authentication.
- inputThe attacker must provide a malicious payload in the 'project' parameter.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.