CVE-2026-28279

The CVE affects osctrl prior to v0.5.0, where an authenticated administrator can inject shell commands via the hostname in osctrl-admin environment configurations. The commands are embedded into enrollment one-liner scripts generated with Go's text/template (no shell escaping) and execute on ever...

CVE-2026-28280

CVE-2026-28280 : osctrl prior to v0.5.0 allows a stored XSS in the on-demand query list within the admin UI. A user with query-level permissions can inject JavaScript via the query parameter when running an on-demand query, with the payload stored and executed in browsers of all users who view th...