Description
DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.
Published: 2026-03-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs in DooTask v1.6.27, where the project description field on the /manage/project/<id> page accepts unsanitized input. This allows cross‑site scripting, enabling arbitrary JavaScript code to run in the browser of any user who views the affected project.

Affected Systems

Installations that run DooTask v1.6.27 are affected. No vendor information beyond the product is provided in the CNA data, and no other version details are listed.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. EPSS is less than 1%, suggesting a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known widespread attacks. The likely attack vector is web‑based, involving an attacker inserting malicious content into the project description and convincing a user to view the page, in which case arbitrary scripts would execute in the viewer’s browser.

Generated by OpenCVE AI on April 2, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a newer DooTask release exists, upgrade to that version immediately.
  • If upgrade is not immediately possible, sanitize the projectDesc input to remove or encode potentially harmful content.
  • Configure a Content Security Policy header to restrict script execution on the project page.
  • Enable a web application firewall or security middleware to detect and block XSS payloads.
  • Educate users to be cautious about unexpected project links.

Generated by OpenCVE AI on April 2, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in DooTask Project Description Field

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Dootask
Dootask dootask
CPEs cpe:2.3:a:dootask:dootask:*:*:*:*:*:*:*:*
Vendors & Products Dootask
Dootask dootask

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in DooTask Project Description Field

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kuaifan
Kuaifan dootask
Vendors & Products Kuaifan
Kuaifan dootask

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.
References

Subscriptions

Dootask Dootask
Kuaifan Dootask
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T13:59:57.348Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29828

cve-icon Vulnrichment

Updated: 2026-03-23T13:58:09.170Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:58.527

Modified: 2026-04-02T20:12:50.910

Link: CVE-2026-29828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:20Z

Weaknesses