CVE-2025-28386
- Source
- https://cve.org/CVERecord?id=CVE-2025-28386
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28386.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-28386
- Aliases
- Published
- 2025-06-13T14:15:20.713Z
- Modified
- 2026-05-20T08:11:44.925146021Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.
- References
Affected packages
Git / github.com/openc3/cosmos
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openc3/cosmos
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "6.0.0" }, { "introduced": "0" }, { "last_affected": "6.0.0" } ] }
Affected versions
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.2.1
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.4.2
v3.5.1
v3.6.0
v3.6.1
v3.6.2
v3.7.0
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.9.0
v3.9.1
v3.9.2
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.1.0
v4.1.1
v4.2.3
v4.3.0
v5.*
v5.0.0
v5.0.0-beta.1
v5.0.0.beta2
v5.0.1
v5.0.10
v5.0.11
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.10.0
v5.10.1
v5.11.0
v5.11.1
v5.11.2
v5.11.3
v5.12.0
v5.13.0
v5.14.0
v5.14.1
v5.14.2
v5.15.0
v5.15.1
v5.15.2
v5.16.0
v5.16.1
v5.16.2
v5.17.0
v5.17.1
v5.18.0
v5.19.0
v5.2.0
v5.20.0
v5.3.0
v5.4.0
v5.4.1
v5.4.2
v5.4.3-beta0
v5.5.0
v5.5.0-beta0
v5.5.1
v5.5.2
v5.5.2-beta0
v5.6.0
v5.6.1
v5.7.0
v5.7.2
v5.8.0
v5.8.1
v5.9.0
v5.9.1
v6.*
v6.0.0