Skip to main content

OKRs & Goals CVE-2026-5005

| EUVDEUVD-2026-42592 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 TR-CERT GHSA-j92g-m3p2-444q
5.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Low privilege to inject, victim must actively view page, scope change reflects cross-user script execution; no availability impact applicable.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 16:01 EUVD
Analysis Generated
Jul 09, 2026 - 14:51 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS.

This issue affects OKRs & Goals: from 28220 before 28398.

AnalysisAI

Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege platform account
Delivery
Inject XSS payload into OKR/goal input field
Exploit
Payload persisted in application database
Execution
Victim user navigates to affected page
Persist
Stored script executes in victim browser session
Impact
Steal session token or perform unauthorized actions as victim

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated account on the OKRs & Goals platform with at minimum low privileges (PR:L per CVSS), consistent with a standard employee or contributor role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 5.4 (Medium) score accurately reflects constrained real-world risk: the attack requires an authenticated low-privileged account (PR:L) and victim interaction (UI:R), limiting opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated employee with standard platform access submits a crafted XSS payload - for example, a script tag embedded in an OKR goal title or key result description field. When a manager or administrator later navigates to the affected page to review goals, the stored script executes silently in their browser, potentially exfiltrating their session token or performing actions (approvals, edits) on their behalf. …
Remediation Upgrade OKRs & Goals to build 28398 or later; this version boundary is stated explicitly in the CVE description as the fix threshold. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy