CVE-2025-28380

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-28380

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28380.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-28380

Published

2025-06-13T14:15:20.030Z

Modified

2026-04-10T05:24:23.685303Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A cross-site scripting (XSS) vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter.

References

Affected packages

Git / github.com/openc3/cosmos

Affected ranges

Type

GIT

Repo

https://github.com/openc3/cosmos

Events

Introduced

Last affected

6e0d24067e57572254471e0460bcc10931740c40

Fixed

12e3e12307afd3dbfc306f20d60400989db89883

Fixed

65fd4be2423c5d9d84642a7c0f049f0b36998dde

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.0.0"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.1.2

v3.2.1

v3.3.0

v3.3.1

v3.4.0

v3.4.1

v3.4.2

v3.5.1

v3.6.0

v3.6.1

v3.6.2

v3.7.0

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.9.0

v3.9.1

v3.9.2

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.2.3

v4.3.0

v5.*

v5.0.0

v5.0.0-beta.1

v5.0.0.beta2

v5.0.1

v5.0.10

v5.0.11

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.7

v5.0.8

v5.0.9

v5.1.0

v5.1.1

v5.10.0

v5.10.1

v5.11.0

v5.11.1

v5.11.2

v5.11.3

v5.12.0

v5.13.0

v5.14.0

v5.14.1

v5.14.2

v5.15.0

v5.15.1

v5.15.2

v5.16.0

v5.16.1

v5.16.2

v5.17.0

v5.17.1

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.3.0

v5.4.0

v5.4.1

v5.4.2

v5.4.3-beta0

v5.5.0

v5.5.0-beta0

v5.5.1

v5.5.2

v5.5.2-beta0

v5.6.0

v5.6.1

v5.7.0

v5.7.2

v5.8.0

v5.8.1

v5.9.0

v5.9.1

v6.*

v6.0.0

v6.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28380.json"