Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Taiga is a project management platform for startups and agile developers. Prior 6.9.1, Taiga front is vulnerable to stored XSS. This vulnerability is fixed in 6.9.1.
AnalysisAI
Taiga Front prior to version 6.9.1 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with limited privileges to inject malicious scripts into confirmation messages and dialogs. When other users view these messages, the scripts execute in their browser context, potentially allowing attackers to steal session cookies, perform unauthorized actions, or redirect victims to malicious sites. The vulnerability requires user interaction (UI:R) but affects confidentiality with a CVSS score of 5.7.
Technical ContextAI
The vulnerability exists in the Taiga Front confirmation service module (confirm.coffee), where user-supplied message content was being processed through a 'textToHTML' filter and then inserted into the DOM using the .html() method. The .html() method interprets its argument as HTML and executes any embedded JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the improper handling of untrusted data in a client-side templating context. The fix replaces .html() with .text(), which treats input as plain text and automatically escapes HTML entities, preventing script execution. This affects the CPE cpe:2.3:a:taigaio:taiga-front, which represents the Taiga Front web application component.
RemediationAI
Upgrade Taiga Front to version 6.9.1 or later, which replaces the vulnerable .html() DOM insertion method with .text(), preventing script execution in confirmation messages. The fix is available in commit a9ab31a2f184a2f5da3644829f0caa7ac6f22a4a and subsequent releases. Organizations unable to immediately patch should restrict access to the project management platform to trusted internal users only, disable untrusted user account creation, and audit existing confirmation message content for malicious payloads using application logs or database queries. Additionally, implement Content Security Policy (CSP) headers to mitigate XSS impact even if payloads are injected; however, this does not remove the stored vulnerability itself. For detailed guidance, refer to https://github.com/taigaio/taiga-front/security/advisories/GHSA-fpm6-3pvx-3c46.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29118