CVE-2026-41250
Stored XSS in Taiga Project Management Platform
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| taigaio | taiga-front | to 6.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41250 is a stored cross-site scripting (XSS) vulnerability in the Taiga project management platform's frontend (taiga-front) versions prior to 6.9.1.
This vulnerability allows an attacker to inject malicious scripts into web pages that other users view, potentially compromising the confidentiality of sensitive data.
The issue arises from improper neutralization of input during web page generation (CWE-79), meaning user input is not properly sanitized before being rendered as HTML.
The vulnerability requires low privileges and user interaction to be exploited and was fixed in version 6.9.1 by changing how messages are renderedβfrom interpreting user input as HTML to rendering it as plain text.
How can this vulnerability impact me? :
This stored XSS vulnerability can impact you by allowing attackers to inject malicious scripts into the Taiga frontend, which are then executed in the browsers of other users.
Such attacks can lead to exposure of sensitive information, as the confidentiality of data is impacted.
Because the attack requires only low privileges and user interaction, it can be relatively easy for attackers to exploit if the system is running a vulnerable version.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in Taiga front versions prior to 6.9.1. Detection involves identifying if your Taiga front instance is running a vulnerable version and checking for injected malicious scripts in web pages served by the application.
To detect the vulnerability, verify the version of Taiga front you are running. If it is prior to 6.9.1, it is vulnerable.
You can also inspect web pages for suspicious script injections by reviewing stored content that users can input, especially in areas where messages or comments are rendered.
There are no specific commands provided in the resources, but general approaches include:
- Check the Taiga front version via your deployment or package manager.
- Use web application scanning tools that detect stored XSS vulnerabilities.
- Manually inspect input fields and stored content for injected scripts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Taiga front to version 6.9.1 or later, where the vulnerability has been fixed.
The fix involves rendering user-provided messages as plain text instead of HTML, preventing malicious scripts from executing.
Until you can upgrade, consider restricting user input or sanitizing inputs on your own to prevent script injection.
Additionally, review and apply any security advisories or patches provided by the Taiga project.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in Taiga-front prior to version 6.9.1 impacts confidentiality by potentially exposing sensitive data to attackers through malicious script injection.
Such exposure of sensitive data can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access or disclosure.
Therefore, if the vulnerability is exploited, it could lead to violations of these regulations due to compromised confidentiality.