CVE-2026-34416
MEDIUMOSCAL-GUI Reflected XSS via project parameter in oscal.php
Title source: cnaDescription
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.
References (2)
Core 2
Core References
Exploit technical-description
exploit
https://gist.github.com/cyberinforepo/5a8d369a005826b6b42bfeed9607c2dd
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-php
Scores
CVSS v3
6.1
EPSS
0.0020
EPSS Percentile
9.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
brian-ruf/OSCAL-GUI
< c989c4bd5a68f2621a81654e9250246539a28d5a
Published
Jun 09, 2026
Tracked Since
Jun 10, 2026