Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS.

This issue affects OKRs & Goals: from 28220 before 28398.
Published: 2026-07-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the affected version range of Twiser’s OKRs & Goals, input entered through the application is not properly neutralized before being rendered in web pages, permitting cross‑site scripting. When an attacker submits malicious script via a supported input field, that script is stored and subsequently executed in the browsers of any user who views the affected page. The impact is confinement to the victim’s browser and can lead to theft of session data, defacement of local content, or execution of further client‑side attacks, but it does not grant direct code execution on the server.

Affected Systems

Twiser Informatics Technology Consulting, Trade and Education Inc. – OKRs & Goals update 28220 through 28398 are affected. No additional vendor or product versions are listed.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score is not available, which does not confirm current exploitation probability. This issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves web forms or data entry points that feed content directly into the application’s output rendering without proper sanitization. An attacker who can insert data into these fields can trigger the stored XSS when other users load the compromised page.

Generated by OpenCVE AI on July 9, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a version newer than 28398
  • Implement input validation and output encoding by following the OWASP Cross‑Site Scripting Prevention guidelines
  • Deploy a Content Security Policy (CSP) header that restricts inline script execution

Generated by OpenCVE AI on July 9, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS. This issue affects OKRs & Goals: from 28220 before 28398.
Title Stored XSS in Twiser's OKRs & Goals
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-07-09T14:36:06.999Z

Reserved: 2026-03-27T13:52:23.527Z

Link: CVE-2026-5005

cve-icon Vulnrichment

Updated: 2026-07-09T14:36:00.553Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T22:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')