Skip to main content

Taiga Front EUVDEUVD-2026-29118

| CVE-2026-41250 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 GitHub_M
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
May 11, 2026 - 18:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 17:49 vuln.today
Analysis Generated
May 11, 2026 - 17:49 vuln.today
CVE Published
May 11, 2026 - 16:50 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Taiga is a project management platform for startups and agile developers. Prior 6.9.1, Taiga front is vulnerable to stored XSS. This vulnerability is fixed in 6.9.1.

AnalysisAI

Taiga Front prior to version 6.9.1 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with limited privileges to inject malicious scripts into confirmation messages and dialogs. When other users view these messages, the scripts execute in their browser context, potentially allowing attackers to steal session cookies, perform unauthorized actions, or redirect victims to malicious sites. The vulnerability requires user interaction (UI:R) but affects confidentiality with a CVSS score of 5.7.

Technical ContextAI

The vulnerability exists in the Taiga Front confirmation service module (confirm.coffee), where user-supplied message content was being processed through a 'textToHTML' filter and then inserted into the DOM using the .html() method. The .html() method interprets its argument as HTML and executes any embedded JavaScript. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the improper handling of untrusted data in a client-side templating context. The fix replaces .html() with .text(), which treats input as plain text and automatically escapes HTML entities, preventing script execution. This affects the CPE cpe:2.3:a:taigaio:taiga-front, which represents the Taiga Front web application component.

RemediationAI

Upgrade Taiga Front to version 6.9.1 or later, which replaces the vulnerable .html() DOM insertion method with .text(), preventing script execution in confirmation messages. The fix is available in commit a9ab31a2f184a2f5da3644829f0caa7ac6f22a4a and subsequent releases. Organizations unable to immediately patch should restrict access to the project management platform to trusted internal users only, disable untrusted user account creation, and audit existing confirmation message content for malicious payloads using application logs or database queries. Additionally, implement Content Security Policy (CSP) headers to mitigate XSS impact even if payloads are injected; however, this does not remove the stored vulnerability itself. For detailed guidance, refer to https://github.com/taigaio/taiga-front/security/advisories/GHSA-fpm6-3pvx-3c46.

Share

EUVD-2026-29118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy