Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
osctrl: Attacker can inject malicious code into query list
CVE-2026-28280
GHSA-4rv8-5cmm-2r22
GHSA-4rv8-5cmm-2r22
Summary
A vulnerability in osctrl allows an attacker with limited permissions to inject malicious code that can affect all users who view the query list. This can potentially lead to a full system compromise if an administrator interacts with the malicious code. To protect your system, upgrade to osctrl version 0.5.0 immediately or restrict query-level permissions to trusted users.
What to do
- Update github.com jmpsec to version 0.5.0.
- Update jmpsec github.com/jmpsec/osctrl to version 0.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | jmpsec | <= 0.5.0 | 0.5.0 |
| jmpsec | osctrl | <= 0.5.0 | – |
| jmpsec | github.com/jmpsec/osctrl | <= 0.5.0 | 0.5.0 |
Original title
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Original description
### Summary
A stored Cross-site Scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.
### Impact
An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload.
### Patches
Fixed in osctrl `v0.5.0`. Users should upgrade immediately.
### Workarounds
Restrict query-level permissions to trusted users. Monitor query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.
### References
- https://github.com/jmpsec/osctrl/pull/778
- https://cwe.mitre.org/data/definitions/79.html
### Credits
Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)
https://github.com/Kwangyun → @Kwangyun
https://github.com/sho-luv → @sho-luv
A stored Cross-site Scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.
### Impact
An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload.
### Patches
Fixed in osctrl `v0.5.0`. Users should upgrade immediately.
### Workarounds
Restrict query-level permissions to trusted users. Monitor query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.
### References
- https://github.com/jmpsec/osctrl/pull/778
- https://cwe.mitre.org/data/definitions/79.html
### Credits
Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)
https://github.com/Kwangyun → @Kwangyun
https://github.com/sho-luv → @sho-luv
nvd CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-28280
- https://github.com/advisories/GHSA-4rv8-5cmm-2r22
- https://github.com/jmpsec/osctrl/pull/778 Issue Tracking Patch
- https://github.com/jmpsec/osctrl/pull/780 Issue Tracking Patch
- https://github.com/jmpsec/osctrl/security/advisories/GHSA-4rv8-5cmm-2r22 Mitigation Patch Vendor Advisory
- https://github.com/jmpsec/osctrl Product
Published: 28 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026