CVE-2026-1598
Unknown Unknown - Not Provided
Cross-Site Scripting in Bdtask Bhojon User Profile Module

Publication date: 2026-01-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1598
EUVD
EUVD-2026-4956
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask bhojon to 2026-01-16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1598 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System, specifically in the User Information Module at /dashboard/home/profile. It occurs because the application does not properly sanitize or encode the 'fullname' input field, allowing an attacker to inject malicious JavaScript code that is stored and executed whenever the profile page is viewed by users. This can be exploited remotely and requires victim interaction to trigger the malicious script. [1, 2, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows for cross-site scripting leading to potential account takeover, session theft, and administrative compromise, it could indirectly affect compliance by risking unauthorized access to personal or sensitive data. This could lead to violations of data protection requirements under regulations like GDPR or HIPAA if exploited. No direct statements about compliance impact are provided. [1, 2, 3]

Impact Analysis

This vulnerability can lead to several serious impacts including session theft, account takeover, privilege escalation, administrative compromise, persistent execution of malicious scripts, phishing attacks, and malware injection. Essentially, an attacker can hijack user sessions, gain unauthorized access, and perform malicious actions within the affected system. [2, 3]

Detection Guidance

This vulnerability can be detected by testing the 'fullname' parameter in the profile update page (/dashboard/home/profile) of the Bhojon All-In-One Restaurant Management System for stored cross-site scripting (XSS). A common detection method is to inject a simple XSS payload such as `<script>alert(1)</script>` into the fullname field and then observe if the script executes when the profile page is reloaded. There are no specific network commands provided, but manual testing or automated web vulnerability scanners targeting stored XSS on this parameter can be used. [2, 3]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the 'fullname' parameter, to prevent malicious scripts from being stored. Implement output encoding or HTML-encoding when rendering user data to the profile page. Stripping or escaping script tags and other potentially dangerous HTML elements is recommended. Additionally, implementing a Content Security Policy (CSP) can help reduce the impact of XSS attacks. Since no official patch or vendor response is available, consider replacing the affected product with a secure alternative. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart