CVE-2026-34416

MEDIUM 6.1

OSCAL-GUI Reflected XSS via project parameter in oscal.php

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.

CWE	CWE-79
Vendor	brian-ruf
Product	oscal-gui
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for brian-ruf oscal-gui

Be the first to know when new medium vulnerabilities affecting brian-ruf oscal-gui are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

brian-ruf / OSCAL-GUI

0 ≤ c989c4bd5a68f2621a81654e9250246539a28d5a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gist.github.com: https://gist.github.com/cyberinforepo/5a8d369a005826b6b42bfeed9607c2dd vulncheck.com: https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-php

Credits

philopentest VulnCheck