GHSA-4rv8-5cmm-2r22

Suggest an improvement
Source
https://github.com/advisories/GHSA-4rv8-5cmm-2r22
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4rv8-5cmm-2r22/GHSA-4rv8-5cmm-2r22.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4rv8-5cmm-2r22
Aliases
Published
2026-02-28T02:07:15Z
Modified
2026-03-04T15:06:29.774133Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Details

Summary

A stored Cross-site Scripting (XSS) vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user (including administrators) who visits the query list page. This can be chained with CSRF token extraction to escalate privileges and take actions as the logged in user.

Impact

An attacker with query-level permissions (the lowest privilege tier) can execute arbitrary JavaScript in the browsers of all users who view the query list. Depending on their level of access, it can lead to full platform compromise if an administrator executes the payload.

Patches

Fixed in osctrl v0.5.0. Users should upgrade immediately.

Workarounds

Restrict query-level permissions to trusted users. Monitor query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.

References

  • https://github.com/jmpsec/osctrl/pull/778
  • https://cwe.mitre.org/data/definitions/79.html

Credits

Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)

https://github.com/Kwangyun → @Kwangyun

https://github.com/sho-luv → @sho-luv

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-02-26T23:16:37Z",
    "github_reviewed_at": "2026-02-28T02:07:15Z",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/jmpsec/osctrl

Package

Name
github.com/jmpsec/osctrl
View open source insights on deps.dev
Purl
pkg:golang/github.com/jmpsec/osctrl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4rv8-5cmm-2r22/GHSA-4rv8-5cmm-2r22.json"