The vulnerability identified as CVE-2026-28280 affects jmpsec's osctrl, an osquery management platform, in versions prior to 0.5.0. It is a stored cross-site scripting (XSS) flaw categorized under CWE-79, caused by improper neutralization of input during web page generation. Specifically, users with query-level permissions can inject arbitrary JavaScript code via the query parameter when running on-demand queries. This malicious payload is stored persistently and executes in the browsers of any users who access the on-demand query list page, including administrators. Because the script runs in the context of the victim's browser session, it can steal sensitive information such as CSRF tokens. Attackers can leverage this to escalate privileges beyond their initial query-level access, potentially taking full control of the osctrl platform. The vulnerability requires the attacker to have at least query-level permissions, which is the lowest privilege tier, and user interaction in the form of viewing the infected query list page. The vulnerability does not affect availability but impacts confidentiality and integrity significantly. The vendor fixed this issue in version 0.5.0. No known exploits are reported in the wild as of the publication date. Workarounds include restricting query-level permissions to trusted users, monitoring query lists for suspicious payloads, and auditing user accounts for unauthorized administrators.

This vulnerability poses a significant risk to organizations using osctrl versions prior to 0.5.0. Since query-level permissions are the lowest privilege tier, an attacker with minimal access can execute arbitrary JavaScript in the browsers of all users who view the query list, including administrators. This can lead to theft of authentication tokens, session hijacking, and privilege escalation, potentially resulting in full platform compromise. The impact extends to confidentiality and integrity of the platform and its managed endpoints. Organizations relying on osctrl for osquery management could face unauthorized data access, manipulation of queries, and disruption of endpoint monitoring and management workflows. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially in environments with multiple users having query-level access. The vulnerability could be exploited internally or by compromised accounts, making insider threats or credential theft scenarios particularly dangerous.

To mitigate this vulnerability, organizations should upgrade osctrl to version 0.5.0 or later, where the issue is fixed. Until an upgrade is possible, restrict query-level permissions strictly to trusted users only, minimizing the attack surface. Implement monitoring and alerting on the on-demand query list for suspicious or unexpected JavaScript payloads. Conduct regular audits of user accounts to detect unauthorized administrators or users with query-level permissions. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. Educate users, especially administrators, to be cautious when interacting with query lists and to report unusual behavior. Additionally, consider isolating the osctrl management interface within a secure network segment to limit exposure. Finally, review and harden session management and CSRF protections to reduce the risk of token theft and privilege escalation.