CVE-2026-28280
Stored XSS in osctrl-admin Query List Enables Admin Takeover
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jmpsec | osctrl | to 0.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in osctrl, an osquery management solution, specifically in versions prior to 0.5.0. It is a stored cross-site scripting (XSS) flaw in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript code via the query parameter when running an on-demand query.
The injected JavaScript payload is stored and executes in the browser of any user who visits the query list page, including administrators. This can be combined with cross-site request forgery (CSRF) token extraction to escalate privileges and perform actions as the logged-in user.
Because query-level permissions are the lowest privilege tier, an attacker with these permissions can execute arbitrary JavaScript in the browsers of all users who view the query list, potentially leading to full platform compromise if an administrator executes the payload.
The issue is fixed in osctrl version 0.5.0.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized execution of arbitrary JavaScript code in the browsers of users who view the on-demand query list page.
If an attacker with low-level query permissions exploits this vulnerability, they can escalate their privileges by extracting CSRF tokens and performing actions as other users, including administrators.
This can lead to a full platform compromise, allowing the attacker to take control of the system, manipulate data, or disrupt operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the osctrl query list for suspicious payloads that may contain arbitrary JavaScript injections. Since the issue involves stored cross-site scripting (XSS) in the osctrl-admin on-demand query list, reviewing queries for unusual or unexpected script content is essential.
There are no specific commands provided to detect this vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting query-level permissions to trusted users only, as users with query-level permissions can inject arbitrary JavaScript.
Additionally, monitor the query list for suspicious payloads and review osctrl user accounts to ensure there are no unauthorized administrators.
Upgrading to osctrl version 0.5.0 or later, where this vulnerability is fixed, is the recommended long-term solution.