CRITICAL 9.8

PYSEC-2025-149

Details

A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / openc3

Introduced in: 0

No fixed version published yet for openc3 (pip). Pin to a known-safe version or switch to an alternative.

References

https://openc3.com/ [WEB]
https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/ [EVIDENCE]