PYSEC-2026-105

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/openc3/PYSEC-2026-105.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-105

Aliases

Published

2026-05-04T18:16:30.667Z

Modified

2026-05-20T09:19:10.269368Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.

References

https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x

Affected packages

PyPI / openc3

Package

Name: openc3; View open source insights on deps.dev
Purl: pkg:pypi/openc3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.0

Affected versions

0.*

0.1.0

5.*

5.9.2b0

5.10.0

5.10.1

5.11.0

5.11.1

5.11.2

5.11.3

5.12.0

5.13.0

5.14.0

5.14.1

5.14.2

5.15.0

5.15.1

5.15.2

5.16.0

5.16.1

5.16.2

5.17.0

5.17.1

5.18.0

5.19.0

5.20.0

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.2.1

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.0

6.7.0

6.8.0

6.8.1

6.9.0

6.9.1

6.9.2

6.10.0

6.10.1

6.10.2

6.10.3

6.10.4

6.10.5

6.10.6

7.*

7.0.0rc2

7.0.0rc3

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/openc3/PYSEC-2026-105.yaml"