{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29828", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T13:59:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T16:40:38.545Z"}, "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/kuaifan/dootask"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T13:59:53.595695Z", "id": "CVE-2026-29828", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:59:57.348Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T13:59:53.595695Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:58:09.170Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/kuaifan/dootask"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}], "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T16:40:38.545Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29828", "state": "PUBLISHED", "dateUpdated": "2026-03-23T13:59:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dootask:dootask:*:*:*:*:*:*:*:*", "matchCriteriaId": "792933D7-5C54-4088-AA7C-B4FAC8EEDDAD", "versionEndIncluding": "1.6.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}, {"lang": "es", "value": "DooTask v1.6.27 tiene una vulnerabilidad de cross-site scripting (XSS) en la p\u00e1gina /manage/project/ a trav\u00e9s del campo de entrada projectDesc."}], "id": "CVE-2026-29828", "lastModified": "2026-04-02T20:12:50.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T17:16:58.527", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/kuaifan/dootask"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.27"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "dootask", "vendor": "kuaifan"}], "analysis": {"en": {"generated_at": "2026-03-23T16:06:14.538843+00:00", "value": {"mitigation_remediation": ["Upgrade to a newer release of DooTask if one is available.", "If no patch is accessible, sanitize the projectDesc input by escaping or allowing only safe characters before rendering it on the page.", "Deploy a Content Security Policy that disallows execution of inline scripts.", "Ensure that all incoming data is properly validated and encoded prior to output to the browser."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Only DooTask version 1.6.27 is listed as affected. No vendor name is supplied in the CVE record, and the vulnerability is not reported in any other releases according to the information provided.", "description_and_impact": "The DooTask application contains a cross\u2011site scripting weakness on the \"/manage/project/<id>\" page: data entered into the projectDesc field is rendered without proper escaping, allowing attacker supplied input to be executed as JavaScript in the browsers of users who view the affected project. Based on the description, this script execution could enable malicious actions such as defacement, credential theft, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The CVE is not in CISA\u2019s KEV catalog. Exploitation would require a user to visit the \"/manage/project/<id>\" page with malicious input; the likely attack vector, based on typical web XSS scenarios, is through web UI interaction. No official patch or fix is mentioned in the CVE details, so administrators should review the vendor\u2019s website for updates or apply a workaround."}}}}, "created": "2026-03-23T09:53:32.500017+00:00", "title": "Cross\u2011Site Scripting Vulnerability in DooTask Project Description Field", "updated": "2026-03-25T14:10:21.260324+00:00", "vendors": ["kuaifan", "kuaifan$PRODUCT$dootask"]}