CVE-2026-34416
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter.
Risk Assessment
Attackers can craft a malicious URL that, when visited by a victim, executes arbitrary scripts, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to validate and sanitize all input data and implement appropriate XSS protections in the OSCAL-GUI application.
Original NVD description (English source)
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.

