Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Low privilege to inject, victim must actively view page, scope change reflects cross-user script execution; no availability impact applicable.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS.
This issue affects OKRs & Goals: from 28220 before 28398.
AnalysisAI
Stored XSS in Twiser OKRs & Goals (builds 28220 through pre-28398) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other authenticated users' browsers. The CVSS scope change (S:C) confirms cross-user impact - a hallmark of stored XSS where one user's injected payload affects others who subsequently view the same content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated account on the OKRs & Goals platform with at minimum low privileges (PR:L per CVSS), consistent with a standard employee or contributor role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 5.4 (Medium) score accurately reflects constrained real-world risk: the attack requires an authenticated low-privileged account (PR:L) and victim interaction (UI:R), limiting opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated employee with standard platform access submits a crafted XSS payload - for example, a script tag embedded in an OKR goal title or key result description field. When a manager or administrator later navigates to the affected page to review goals, the stored script executes silently in their browser, potentially exfiltrating their session token or performing actions (approvals, edits) on their behalf. … |
| Remediation | Upgrade OKRs & Goals to build 28398 or later; this version boundary is stated explicitly in the CVE description as the fix threshold. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42592
GHSA-j92g-m3p2-444q