CVE-2026-34417
6.1 MEDIUMOSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript i...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Description
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2025-8444 — The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based St... (6.4 MEDIUM)
- CVE-2026-46518 — OpenEMR is a free and open source electronic health records and medical practice management application (7.7 HIGH)
- CVE-2026-41003 — An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Secu... (7.6 HIGH)
- CVE-2026-25860 — OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to... (6.1 MEDIUM)
- CVE-2026-47933 — ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by... (4.8 MEDIUM)