CVE-2026-42086: OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

April 22, 2026 (updated May 4, 2026)

The Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage.

References

github.com/OpenC3/cosmos
github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x
github.com/advisories/GHSA-ffq5-qpvf-xq7x
nvd.nist.gov/vuln/detail/CVE-2026-42086

Code Behaviors & Features

Detect and mitigate CVE-2026-42086 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →