Description
A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the User Information Module’s /dashboard/home/profile endpoint. By supplying a crafted fullname argument, an attacker can embed arbitrary JavaScript that executes in the browsers of any user who views that profile, enabling client‑side code execution.

Affected Systems

Bdtask’s Bhojon All‑In‑One Restaurant Management System, versions up to 20260116, is affected. The flaw is located within the user information component of the web dashboard.

Risk and Exploitability

The flaw carries a CVSS base score of 5.1, indicating medium severity. The EPSS probability is reported as less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitation can be performed remotely through the web interface; an attacker may submit the malicious fullname directly or craft a link that causes a victim to load the compromised profile. The vendor has not released a patch and did not respond to disclosure attempts, leaving customers at ongoing risk.

Generated by OpenCVE AI on April 18, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch or upgrade to a version newer than 20260116 as soon as it becomes available.
  • Sanitize and encode the fullname input on the server side, rejecting or escaping any HTML or script content before storage or rendering.
  • Implement a strict Content Security Policy to limit the execution of injected scripts.

Generated by OpenCVE AI on April 18, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bdtask:bhojon:*:*:*:*:*:*:*:*

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bdtask
Bdtask bhojon
Vendors & Products Bdtask
Bdtask bhojon

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bdtask Bhojon
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:05:54.954Z

Reserved: 2026-01-29T08:44:38.396Z

Link: CVE-2026-1598

cve-icon Vulnrichment

Updated: 2026-01-29T21:27:01.374Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T18:16:10.160

Modified: 2026-02-19T21:17:15.717

Link: CVE-2026-1598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses