CVE-2026-28280

Name of the Vulnerable Software and Affected Versions osctrl versions prior to 0.5.0

Description osctrl is an osquery management solution. A stored cross-site scripting (XSS) issue exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user, including administrators, who visits the query list page. This can be combined with Cross-Site Request Forgery (CSRF) token extraction to escalate privileges and perform actions as the logged-in user. An attacker with query-level permissions can execute arbitrary JavaScript in the browsers of all users who view the query list, potentially leading to full platform compromise if an administrator executes the payload.

Recommendations Restrict query-level permissions to trusted users. Monitor the query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.