CVE-2026-34417: OSCAL-GUI Reflected XSS Vulnerability (CVSS 6.1)
OSCAL-GUI contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript into a victim's browser. An unauthenticated attacker can craft a malicious URL containing JavaScript code in the project request parameter. When a victim visits this URL, the injected code executes in their browser with the same privileges as the victim, potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or redirect them to phishing sites. The vulnerability requires user interaction—specifically clicking a malicious link—but no authentication is required to exploit it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-14
NVD description (verbatim)
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in OSCAL-GUI's handling of the project request parameter in oscal-forms.php. The parameter undergoes URL decoding and is assigned to the project_id variable in oscal-functions.php without any input sanitization or output encoding. When the application fails to locate the supplied project ID, the unsanitized value is concatenated directly into an error message via the Messages() function and reflected back into the HTML response body without HTML encoding. This allows an attacker to break out of the intended context and inject arbitrary HTML and JavaScript. The flaw is a classic reflected XSS vulnerability (CWE-79) with a CVSS v3.1 score of 6.1 (MEDIUM severity). The attack vector is network-based, requires no special access conditions, and depends on user interaction.
Business impact
This vulnerability poses a moderate risk to organizations deploying OSCAL-GUI. An attacker could craft convincing phishing campaigns by embedding malicious links in emails or compromised websites, targeting users who work with OSCAL projects. Successful exploitation could lead to unauthorized access to user accounts, theft of session credentials, manipulation of project data, or delivery of malware. The lack of authentication requirements means any user of the application is a potential target. For organizations managing compliance or security-related configurations through OSCAL-GUI, this vulnerability could compromise the integrity of configuration management processes and lead to unauthorized modifications of security-relevant settings.
Affected systems
OSCAL-GUI versions are affected by this vulnerability. Specific affected version ranges are not provided in available advisories; organizations should consult the vendor advisory to confirm which versions are vulnerable and which patches are available. Any deployment of OSCAL-GUI exposed to untrusted users or the internet should be considered at risk.
Exploitability
The vulnerability is relatively straightforward to exploit. An attacker needs only to construct a URL with the malicious payload embedded in the project parameter and trick a user into clicking it. No special tools, authentication, or complex setup is required. However, exploitation does depend on successful social engineering or link distribution—the victim must click the malicious link. The barrier to crafting the attack is low; the barrier to delivering it effectively to a target is medium, dependent on the attacker's ability to reach and persuade users. The vulnerability is not known to be actively exploited in the wild at this time and is not on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Remediation requires updating OSCAL-GUI to a patched version. Organizations should consult the official OSCAL-GUI vendor advisory and release notes to identify the specific patched version addressing CVE-2026-34417. The underlying fix involves implementing proper input validation and output encoding: the project parameter should be validated against a whitelist of expected formats, and any user-supplied data reflected in error messages must be HTML-encoded to prevent script injection. Until patches are available and applied, organizations should consider implementing Web Application Firewall (WAF) rules to detect and block reflected XSS payloads in the project parameter.
Patch guidance
Organizations should immediately verify the availability of patched versions through the official OSCAL-GUI vendor channels and release notes. Apply patches to all instances of OSCAL-GUI in development, testing, and production environments. Given the MEDIUM severity and the ease of exploitation via social engineering, patching should be prioritized within your standard change management process—aim for deployment within 30 days of patch availability. After patching, verify the fix by testing that malicious payloads in the project parameter are properly encoded in error messages and do not execute as JavaScript.
Detection guidance
Monitor for indicators of exploitation: watch web server logs and WAF logs for requests to oscal-forms.php containing URL-encoded or raw JavaScript syntax (e.g., <script>, onerror=, javascript:, etc.) in the project parameter. Look for patterns like %3Cscript%3E, alert(, or common XSS vectors. Browser-based telemetry can detect when users execute unexpected JavaScript; check for unusual network requests or page manipulations originating from error pages. Implement input validation logging to track rejection of suspicious project parameter values. Consider deploying a WAF rule that blocks requests containing known XSS patterns in the project parameter.
Why prioritize this
This vulnerability merits prompt attention despite its MEDIUM severity rating. The lack of authentication requirements, ease of exploitation, and reliance on social engineering make it an attractive attack vector for targeted campaigns. The scope is changed (attack crosses trust boundaries), and both confidentiality and integrity are impacted. Organizations should prioritize patching once updates are available. For environments with user-facing OSCAL-GUI instances, this should take precedence over lower-severity issues.
Risk score, explained
CVSS v3.1 assigns a score of 6.1 (MEDIUM) based on: network-based attack vector, low attack complexity, no privileges required, and user interaction required. The scope is changed, meaning the vulnerability can affect resources beyond its security scope. Confidentiality and integrity are both impacted at low levels. No availability impact is present. The score reflects a realistic threat—not easily automated or massively scalable, but dangerous in targeted scenarios and with moderate likelihood of causing harm to affected users.
Frequently asked questions
Can this vulnerability be exploited without social engineering?
No. While the vulnerability itself is easy to exploit once an attacker has a victim's attention, the attacker must first trick the victim into clicking a malicious link. The vulnerability cannot be exploited through passive network access or by scanning for the application alone.
If we restrict OSCAL-GUI to internal networks only, are we protected?
Restricting network access significantly reduces risk, but does not eliminate it. Internal threats (malicious insiders, compromised internal systems) can still craft and distribute malicious links to other users. Additionally, if any user has internet access, phishing emails can reach them and lead them back to internal OSCAL-GUI instances.
What should we do while waiting for a patch?
Implement WAF rules to block requests with XSS payloads in the project parameter. Educate users about phishing and suspicious links. If feasible, reduce the number of users with access to OSCAL-GUI or disable the application until patches are available. Monitor logs for exploitation attempts.
Does this vulnerability affect OSCAL-GUI in air-gapped environments?
Air-gapped deployments are at lower risk because attackers cannot deliver malicious links across network boundaries. However, risk persists if users copy links from external sources or if removable media is used to transfer data into the air-gapped network.
This analysis is based on information available as of the publication and modification dates noted. Specific affected version ranges and patch availability should be verified directly with the OSCAL-GUI vendor advisory and release notes. Organizations should conduct their own testing to confirm vulnerability status and patch efficacy in their environments. This explainer does not constitute professional security advice; consult with your security team and vendor for guidance specific to your deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings