SCA: security update for openc3 (GHSA-ffq5-qpvf-xq7x)

medium Tenable Self-Hosted Container Security Plugin ID 440739

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more
embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-
like command parameters, which allows a user-supplied payload to execute in the browser when sending a
command. This creates a self-XSS risk because an attacker can trigger their own script execution in the
victim’s session, if allowed to influence the array parameter input, for example via phishing. If
successful, an attacker may read or modify data in the authenticated browser context, including session
tokens in local storage. This issue has been patched in version 7.0.0. (CVE-2026-42086)

Solution

Update the openc3 library and its related packages to version 7.0.0 or later.

See Also

https://github.com/advisories/GHSA-ffq5-qpvf-xq7x

Plugin Details

Severity: Medium

ID: 440739

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/23/2026

Updated: 5/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.68

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-42086

CVSS v3

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-42086

cwe: CWE-79