CVE-2026-1598
Cross-Site Scripting in Bdtask Bhojon User Profile Module
Publication date: 2026-01-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bdtask | bhojon | to 2026-01-16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows for cross-site scripting leading to potential account takeover, session theft, and administrative compromise, it could indirectly affect compliance by risking unauthorized access to personal or sensitive data. This could lead to violations of data protection requirements under regulations like GDPR or HIPAA if exploited. No direct statements about compliance impact are provided. [1, 2, 3]
Can you explain this vulnerability to me?
CVE-2026-1598 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System, specifically in the User Information Module at /dashboard/home/profile. It occurs because the application does not properly sanitize or encode the 'fullname' input field, allowing an attacker to inject malicious JavaScript code that is stored and executed whenever the profile page is viewed by users. This can be exploited remotely and requires victim interaction to trigger the malicious script. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to several serious impacts including session theft, account takeover, privilege escalation, administrative compromise, persistent execution of malicious scripts, phishing attacks, and malware injection. Essentially, an attacker can hijack user sessions, gain unauthorized access, and perform malicious actions within the affected system. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'fullname' parameter in the profile update page (/dashboard/home/profile) of the Bhojon All-In-One Restaurant Management System for stored cross-site scripting (XSS). A common detection method is to inject a simple XSS payload such as `<script>alert(1)</script>` into the fullname field and then observe if the script executes when the profile page is reloaded. There are no specific network commands provided, but manual testing or automated web vulnerability scanners targeting stored XSS on this parameter can be used. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially the 'fullname' parameter, to prevent malicious scripts from being stored. Implement output encoding or HTML-encoding when rendering user data to the profile page. Stripping or escaping script tags and other potentially dangerous HTML elements is recommended. Additionally, implementing a Content Security Policy (CSP) can help reduce the impact of XSS attacks. Since no official patch or vendor response is available, consider replacing the affected product with a secure alternative. [2, 1]