CVE-2026-28280: osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List

February 28, 2026

A stored Cross-site Scripting (XSS) vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.

References

github.com/advisories/GHSA-4rv8-5cmm-2r22
github.com/jmpsec/osctrl
github.com/jmpsec/osctrl/pull/778
github.com/jmpsec/osctrl/security/advisories/GHSA-4rv8-5cmm-2r22
nvd.nist.gov/vuln/detail/CVE-2026-28280

Code Behaviors & Features

Detect and mitigate CVE-2026-28280 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →