CVE-2026-29828 in DooTask
Summary
by MITRE • 03/20/2026
DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-29828 represents a critical cross-site scripting flaw within DooTask version 1.6.27 that specifically affects the project management functionality. This vulnerability exists in the /manage/project/<id> endpoint where user input is not properly sanitized or validated before being rendered back to the browser. The affected input field projectDesc serves as the attack vector, allowing malicious actors to inject arbitrary JavaScript code that executes in the context of other users' browsers who view the compromised project description.
This vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is classified as a fundamental web application security weakness that enables attackers to inject client-side scripts into web pages viewed by other users. The ATT&CK framework categorizes this as a code injection technique under the T1566.001 sub-technique known as "Phishing with Malicious Attachments" or more broadly as T1566 "Phishing" when the XSS payload is used to redirect users to malicious sites or steal session cookies. The vulnerability is particularly concerning because it affects a project management interface where administrators and team members would regularly view project descriptions, creating multiple potential attack surfaces.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable session hijacking, credential theft, and redirection to malicious websites. Attackers could craft project descriptions containing malicious scripts that steal user authentication tokens, redirect victims to phishing pages, or even execute commands on behalf of the victim. The vulnerability is particularly dangerous in collaborative environments where multiple users regularly access project information, as a single compromised project description can affect numerous users simultaneously. The lack of proper input sanitization means that any user with the ability to modify project descriptions could become a vector for malicious activity.
Mitigation strategies for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms. The application should employ proper HTML escaping and sanitization techniques when rendering user-supplied content, ensuring that any potentially malicious scripts are neutralized before being displayed. Input validation should include strict character filtering, length restrictions, and regular expression validation to prevent the injection of script tags or event handlers. Additionally, implementing a Content Security Policy (CSP) header would provide an additional layer of protection by restricting the sources from which scripts can be loaded. The recommended approach aligns with the OWASP Top Ten security practices and follows the principle of least privilege by ensuring that user input is properly validated at multiple points in the application lifecycle. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other input fields throughout the application, as this represents a systemic issue that may affect other endpoints.