Self-XSS Vulnerability in OpenC3 COSMOS Command Sender UI
CVE-2026-42086

4.6MEDIUM

Key Information:

Vendor: Openc3
Status: Cosmos
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42086?

The OpenC3 COSMOS Command Sender UI prior to version 7.0.0 contains a vulnerability due to the use of the unsafe eval() function on input parameters. This flaw allows attackers to execute their own scripts in a victim's browser session, leading to potential data leakage or unauthorized data modification, including access to session tokens stored in local storage. Users are encouraged to update to version 7.0.0 to mitigate these risks.

Affected Version(s)

cosmos < 7.0.0

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42086 Data

JSON

Openc3

What is CVE-2026-42086?

Affected Version(s)

References

CVSS V3.1

Timeline