CVE-2026-41250 ‒ Cross-Site-Scripting (XSS) in Taiga

Description¶

Taiga is an open-source project management tool. In taiga-front versions up to 6.9.0, the textToHTML function insufficiently sanitizes user-controlled input, allowing injection of JavaScript event attributes via permitted HTML tags. This can be exploited to steal session tokens from local storage. The issue has been fixed in version 6.9.1.

Vulnerability¶

The textToHTML function in filters.coffee is used to strip dangerous HTML tags from user-controlled text before inserting it into the DOM via .html(). The function allows <strong> and <br> tags, assuming them to be safe. However, these tags can carry JavaScript event attributes such as onmouseover or onload, which are not removed by the filter.

The textToHTML function is used in the ConfirmService function for the “ask” and “askDelete” confirmation dialogues, which are used across the application. One location for triggering this vulnerability is the “Delete User Story” function: the title of a user story or issue is passed as the message to textToHTML.

This XSS is particularly dangerous because Taiga does not store the session identifier in httponly cookies but in local storage, which is directly accessible by JavaScript. An attacker can therefore exfiltrate a victim’s session token to an external server.

PoC¶

Paste the following payload into the title of a new issue, then click the delete button and hover over the highlighted text:

Issue <strong onmouseover=alert(localStorage.getItem("token"))>hover here to trigger XSS via onmouseover</strong>

The JavaScript will execute, displaying the session token.

Mitigations¶

Update to taiga-front version 6.9.1 or later.

Timeline¶

References¶

• CVE record
• GitHub security advisory
• Fix commit