CVE-2026-42086

Name of the Vulnerable Software and Affected Versions OpenC3 COSMOS versions prior to 7.0.0

Description The Command Sender UI uses an unsafe eval() function on array-like command parameters. This allows a user-supplied payload to execute in the browser when sending a command, creating a self-XSS (Cross-Site Scripting) risk. An attacker could trigger script execution in a victim's session if they can influence the array parameter input, such as through phishing. Successful exploitation may allow an attacker to read or modify data within the authenticated browser context, including session tokens stored in local storage.

Recommendations Update to version 7.0.0.