AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-4rv8-5cmm-2r22: osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List

mediumvulnerability

security

Source: Hugging Face Security AdvisoriesFebruary 27, 2026CVE-2026-28280

Summary

osctrl-admin, a system administration tool, has a stored XSS vulnerability (cross-site scripting, where malicious code injected into a website executes when other users view it) in its on-demand query list. Users with basic query permissions can inject harmful JavaScript that runs in the browsers of anyone viewing the query list, including administrators, potentially allowing attackers to steal credentials or take control of the entire platform.

Solution / Mitigation

Fixed in osctrl v0.5.0. Users should upgrade immediately.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Affected Packages

github.com/jmpsec/osctrl@< 0.5.0 (fixed: 0.5.0)

Original source: https://github.com/advisories/GHSA-4rv8-5cmm-2r22

First tracked: February 27, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 95%