CVE-2026-28280
Received Received - Intake
Stored XSS in osctrl-admin Query List Enables Admin Takeover

Publication date: 2026-02-26

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user. An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload. The issue is fixed in osctrl `v0.5.0`. As a workaround, restrict query-level permissions to trusted users, monitor query list for suspicious payloads, and/or review osctrl user accounts for unauthorized administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28280
EUVD
EUVD-2026-8923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jmpsec osctrl to 0.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in osctrl, an osquery management solution, specifically in versions prior to 0.5.0. It is a stored cross-site scripting (XSS) flaw in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript code via the query parameter when running an on-demand query.

The injected JavaScript payload is stored and executes in the browser of any user who visits the query list page, including administrators. This can be combined with cross-site request forgery (CSRF) token extraction to escalate privileges and perform actions as the logged-in user.

Because query-level permissions are the lowest privilege tier, an attacker with these permissions can execute arbitrary JavaScript in the browsers of all users who view the query list, potentially leading to full platform compromise if an administrator executes the payload.

The issue is fixed in osctrl version 0.5.0.

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of arbitrary JavaScript code in the browsers of users who view the on-demand query list page.

If an attacker with low-level query permissions exploits this vulnerability, they can escalate their privileges by extracting CSRF tokens and performing actions as other users, including administrators.

This can lead to a full platform compromise, allowing the attacker to take control of the system, manipulate data, or disrupt operations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring the osctrl query list for suspicious payloads that may contain arbitrary JavaScript injections. Since the issue involves stored cross-site scripting (XSS) in the osctrl-admin on-demand query list, reviewing queries for unusual or unexpected script content is essential.

There are no specific commands provided to detect this vulnerability directly on the network or system.

Mitigation Strategies

Immediate mitigation steps include restricting query-level permissions to trusted users only, as users with query-level permissions can inject arbitrary JavaScript.

Additionally, monitor the query list for suspicious payloads and review osctrl user accounts to ensure there are no unauthorized administrators.

Upgrading to osctrl version 0.5.0 or later, where this vulnerability is fixed, is the recommended long-term solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart