Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.
AnalysisAI
DooTask v1.6.27 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> endpoint via the projectDesc input field, allowing an attacker to inject malicious JavaScript that executes in the context of other users' browsers. An authenticated or unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A proof-of-concept has been publicly disclosed on GitHub, increasing the likelihood of active exploitation.
Technical ContextAI
The vulnerability exists in DooTask's project management module, specifically in the project description field handling. The root cause is improper input validation and output encoding of the projectDesc parameter, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). DooTask is a self-hosted task management application written in PHP/Vue.js that processes user-supplied data without adequate sanitization before rendering it in the HTML context of the /manage/project/<id> page. The affected product is identified via the GitHub repository kuaifan/dootask, though CPE metadata is incomplete (cpe:2.3:a:n/a:n/a), indicating either a data collection gap or that the vendor has not registered formal CPE strings. The vulnerability likely affects the web application layer where project metadata is displayed to authorized users without context-aware encoding.
RemediationAI
Update DooTask to a patched version released after v1.6.27 by checking the official GitHub repository (https://github.com/kuaifan/dootask) for security releases and changelogs. If a patch is not yet available, implement immediate mitigations: restrict access to the /manage/project endpoint using network-level controls (firewall, reverse proxy), enforce strong Content Security Policy (CSP) headers to block inline script execution, and disable or sanitize the projectDesc field at the application configuration level if functionality allows. For self-hosted deployments, audit all project descriptions in the database for injected payloads using regex patterns typical of XSS (e.g., <script>, onerror=, javascript:). Enable HTTP-only and Secure flags on session cookies to prevent session fixation attacks via XSS. Once a patch is available, apply it immediately and verify via the provided proof-of-concept that the vulnerability is resolved.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13730