CVE-2026-34417

MEDIUM 6.1

OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.

CWE	CWE-79
Vendor	brian-ruf
Product	oscal-gui
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for brian-ruf oscal-gui

Be the first to know when new medium vulnerabilities affecting brian-ruf oscal-gui are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

brian-ruf / OSCAL-GUI

0 ≤ c989c4bd5a68f2621a81654e9250246539a28d5a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gist.github.com: https://gist.github.com/cyberinforepo/5a8d369a005826b6b42bfeed9607c2dd vulncheck.com: https://www.vulncheck.com/advisories/oscal-gui-reflected-xss-via-project-parameter-in-oscal-forms-php

Credits

philopentest VulnCheck