{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29828", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T13:59:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T16:40:38.545Z"}, "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/kuaifan/dootask"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T13:59:53.595695Z", "id": "CVE-2026-29828", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:59:57.348Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T13:59:53.595695Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:58:09.170Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/kuaifan/dootask"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}], "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T16:40:38.545Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29828", "state": "PUBLISHED", "dateUpdated": "2026-03-23T13:59:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dootask:dootask:*:*:*:*:*:*:*:*", "matchCriteriaId": "792933D7-5C54-4088-AA7C-B4FAC8EEDDAD", "versionEndIncluding": "1.6.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc."}, {"lang": "es", "value": "DooTask v1.6.27 tiene una vulnerabilidad de cross-site scripting (XSS) en la p\u00e1gina /manage/project/ a trav\u00e9s del campo de entrada projectDesc."}], "id": "CVE-2026-29828", "lastModified": "2026-04-02T20:12:50.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T17:16:58.527", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2026-29828"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/kuaifan/dootask"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.27"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "dootask", "vendor": "kuaifan"}], "analysis": {"en": {"generated_at": "2026-04-02T23:11:34.060135+00:00", "value": {"mitigation_remediation": ["If a newer DooTask release exists, upgrade to that version immediately.", "If upgrade is not immediately possible, sanitize the projectDesc input to remove or encode potentially harmful content.", "Configure a Content Security Policy header to restrict script execution on the project page.", "Enable a web application firewall or security middleware to detect and block XSS payloads.", "Educate users to be cautious about unexpected project links."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Installations that run DooTask v1.6.27 are affected. No vendor information beyond the product is provided in the CNA data, and no other version details are listed.", "description_and_impact": "The vulnerability occurs in DooTask v1.6.27, where the project description field on the /manage/project/<id> page accepts unsanitized input. This allows cross\u2011site scripting, enabling arbitrary JavaScript code to run in the browser of any user who views the affected project.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity vulnerability. EPSS is less than 1%, suggesting a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known widespread attacks. The likely attack vector is web\u2011based, involving an attacker inserting malicious content into the project description and convincing a user to view the page, in which case arbitrary scripts would execute in the viewer\u2019s browser."}}}}, "created": "2026-03-23T09:53:32.500017+00:00", "updated": "2026-04-03T09:39:20.600906+00:00", "vendors": ["kuaifan", "kuaifan$PRODUCT$dootask"]}