Skip to main content

CVE-2026-29828

| EUVDEUVD-2026-13730 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 16:45 euvd
EUVD-2026-13730
Analysis Generated
Mar 20, 2026 - 16:45 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.

AnalysisAI

DooTask v1.6.27 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> endpoint via the projectDesc input field, allowing an attacker to inject malicious JavaScript that executes in the context of other users' browsers. An authenticated or unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A proof-of-concept has been publicly disclosed on GitHub, increasing the likelihood of active exploitation.

Technical ContextAI

The vulnerability exists in DooTask's project management module, specifically in the project description field handling. The root cause is improper input validation and output encoding of the projectDesc parameter, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). DooTask is a self-hosted task management application written in PHP/Vue.js that processes user-supplied data without adequate sanitization before rendering it in the HTML context of the /manage/project/<id> page. The affected product is identified via the GitHub repository kuaifan/dootask, though CPE metadata is incomplete (cpe:2.3:a:n/a:n/a), indicating either a data collection gap or that the vendor has not registered formal CPE strings. The vulnerability likely affects the web application layer where project metadata is displayed to authorized users without context-aware encoding.

RemediationAI

Update DooTask to a patched version released after v1.6.27 by checking the official GitHub repository (https://github.com/kuaifan/dootask) for security releases and changelogs. If a patch is not yet available, implement immediate mitigations: restrict access to the /manage/project endpoint using network-level controls (firewall, reverse proxy), enforce strong Content Security Policy (CSP) headers to block inline script execution, and disable or sanitize the projectDesc field at the application configuration level if functionality allows. For self-hosted deployments, audit all project descriptions in the database for injected payloads using regex patterns typical of XSS (e.g., <script>, onerror=, javascript:). Enable HTTP-only and Secure flags on session cookies to prevent session fixation attacks via XSS. Once a patch is available, apply it immediately and verify via the provided proof-of-concept that the vulnerability is resolved.

Share

CVE-2026-29828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy