Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Network-accessible XSS requires low-privilege attacker authentication (PR:L) and active victim interaction (UI:R); impact is session-scoped with no availability consequence.
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.
AnalysisAI
Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: the downloadAttachment server-side method fails to sanitize or encode attacker-controlled data before reflecting or rendering it in the HTTP response consumed by a victim's browser. This allows injection of HTML/JavaScript payloads. The affected product is Allegra, a project management platform developed by Alltena, identified by CPE cpe:2.3:a:allegra:allegra:*:*:*:*:*:*:*:*, indicating all versions up to the patched 9.0.0 release are in scope. Stored or reflected XSS via file attachment handling is a common attack surface in collaboration tools where user-supplied filenames, MIME types, or inline content are rendered without adequate output encoding.
RemediationAI
Upgrade Allegra to version 9.0.0 or later, as documented in the Alltena release notes at https://alltena.com/en/resources/release-notes/release-notes-for-release-9-0-0/. This is the vendor-confirmed fix. If immediate upgrade is not feasible, restrict the downloadAttachment endpoint via network-layer controls (WAF rules targeting script injection patterns in attachment parameters) and enforce strict Content-Security-Policy headers to limit script execution origins - note that CSP is a defense-in-depth measure and not a substitute for patching, as bypasses exist. Additionally, limit low-privilege external account creation and implement user-awareness controls around opening unexpected attachments from other users within the platform. The ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-358/ may contain additional compensating guidance.
Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthent
Directory traversal vulnerability in Allegra's extractFileFromZip method that allows authenticated attackers to execute
Allegra unzipFile Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerab
Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS
Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVS
Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attacke
Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.3)
Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this v
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36634
GHSA-m8wq-7mhg-mgm7