CVE-2026-12129
Description
Stored XSS in CodeAstro HRMS 1.0 To-Do List allows persistent JavaScript execution via unsanitized todo_data input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in CodeAstro HRMS 1.0 To-Do List allows persistent JavaScript execution via unsanitized todo_data input.
Vulnerability
This is a stored cross-site scripting (XSS) vulnerability in CodeAstro Human Resource Management System version 1.0. The affected endpoint is /dashboard/add_tod in the Dashboard interface. The todo_data parameter is not sanitized before storage, allowing persistent injection of arbitrary JavaScript. The vulnerability is present in the To-Do List component of the dashboard. [1]
Exploitation
An authenticated user can exploit this by sending a POST request to /hrsystem/dashboard/add_todo with a malicious payload in the todo_data field, such as ``. The payload is stored and executed immediately upon submission, and continues to trigger whenever the dashboard or To-Do List section is loaded by any user. The attack is remote and requires only authentication. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any authenticated user who views the dashboard. This stored XSS can lead to session hijacking, theft of sensitive data, defacement, or further client-side attacks. The impact is persistent across sessions and affects all users who access the To-Do List. [1]
Mitigation
No official patch has been released by CodeAstro as of the publication date (2026-06-12). The vendor's website [2] does not provide a security advisory for this issue. As a workaround, administrators should implement proper input sanitization for the todo_data parameter and output encoding when rendering the To-Do List. Disabling the To-Do List feature may also reduce the attack surface. [1][2]
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application stores and renders user-controlled todo_data input without proper sanitization or output encoding."
Attack vector
An authenticated attacker sends a POST request to `/hrsystem/dashboard/add_todo` with malicious JavaScript in the `todo_data` parameter [ref_id=1]. The payload is stored server-side and executes in the browser of any user who views the dashboard, persisting across sessions and page reloads [ref_id=1].
Affected code
The file `/dashboard/add_todo` in the Dashboard Interface of CodeAstro Human Resource Management System 1.0 does not sanitize the `todo_data` parameter before storing and rendering it. This allows stored cross-site scripting via the To-Do List feature [ref_id=1].
What the fix does
The advisory recommends sanitizing user-controlled input with `htmlspecialchars($input, ENT_QUOTES, 'UTF-8')` before output to prevent HTML/JavaScript injection [ref_id=1]. The patch is not shown in the bundle, but encoding output would neutralize the script payloads that are currently stored and rendered unsanitized.
Preconditions
- authThe attacker must have a valid user account to log in and access the To-Do List feature
- networkThe attacker sends a POST request with a crafted todo_data payload via the application's web interface
- inputThe payload is unsanitized user input in the todo_data parameter
Reproduction
Login to the HR Management System application. Navigate to the Dashboard page. Locate the To-Do List feature. Add a new to-do entry using the payload `<svg onload="alert('Stored XSS Triggered via To Do List')">` and submit. Observe that the JavaScript payload executes immediately. Refresh the dashboard page or reopen the To-Do List section; the payload continues executing persistently [ref_id=1].
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.