A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.
The vulnerability (CWE-94 — improper control of code generation) consists of the ability to upload a crafted file with a .txt extension to the plugin management component. This file contains malicious code that is subsequently interpreted or executed by the server-side application. The lack of proper validation of the uploaded file content allows bypassing security mechanisms and executing arbitrary instructions in the context of the application process.
An attacker can remotely execute arbitrary code on the server without requiring any privileges, which may lead to complete system takeover, data leakage, and violation of the platform's integrity and availability.
Patches available from the vendor should be applied according to the references. Additionally, it is recommended to restrict access to the Plugin Management component exclusively to trusted and authenticated users, and to monitor attempts to upload files to this module.
OpenC3 COSMOS v6.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenc3 Cosmos
APPOpenc36.0.0
Related vulnerabilities
OpenC3 COSMOS: ominięcie uprawnień API i dostęp do usług wewnętrznych sieci Docker
SQL Injection w komponencie TSDB OpenC3 COSMOS (CVE-2026-42087)
Path Traversal w endpoincie /script-api/scripts/ OpenC3 COSMOS
OpenC3 COSMOS: Obejście uwierzytelnienia przez słabe wymagania haseł
OpenC3 COSMOS — hardcoded credentials w koncie Service Account