CVE-2026-34417
MEDIUMOSCAL-GUI Reflected XSS via project parameter in oscal-forms.php
Title source: cnaDescription
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
References (2)
Core 2
Core References
Exploit technical-description
exploit
https://gist.github.com/cyberinforepo/5a8d369a005826b6b42bfeed9607c2dd
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-forms-php
Scores
CVSS v3
6.1
EPSS
0.0017
EPSS Percentile
6.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
brian-ruf/OSCAL-GUI
< c989c4bd5a68f2621a81654e9250246539a28d5a
Published
Jun 09, 2026
Tracked Since
Jun 10, 2026