top of page
perceptive_background_267k.jpg

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0…

Published:

3 May 2026 at 22:00:00

Alert date:

4 May 2026 at 19:04:04

Source:

nvd.nist.gov

Click to open the original link from this advisory

Database & Storage, Enterprise Applications

A SQL injection vulnerability affects OpenC3 COSMOS versions 6.7.0 to before 7.0.0-rc3 in the Time-Series Database (TSDB) component. The vulnerability exists in the tsdb_lookup function within the cvt_model.rb file, which directly places user-supplied input into SQL queries without proper sanitization. This allows attackers to break out of the initial SQL statement and execute arbitrary SQL commands, including data deletion. The issue has been patched in version 7.0.0-rc3. OpenC3 COSMOS is a system that provides functionality for sending commands to and receiving data from embedded systems.

Technical details

Mitigation steps:

Affected products:

OpenC3 COSMOS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-42087
https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page