BACK TO NEWS
CERT Advisories

Critical HTML Injection Vulnerability Discovered in Bdtask Isshue Software

2 min readSource: INCIBE-CERT

INCIBE-CERT warns of an HTML injection flaw in Bdtask Isshue. Security teams urged to patch immediately to prevent client-side attacks.

HTML Injection Vulnerability Identified in Bdtask Isshue Software

Madrid, Spain – January 19, 2026 – INCIBE-CERT has issued an alert regarding a critical HTML injection vulnerability in Bdtask Isshue, a widely used issue-tracking and project management software. The flaw, if exploited, could enable attackers to execute malicious scripts in users' browsers, leading to potential data theft or session hijacking.

Technical Details

The vulnerability stems from insufficient input validation in the Isshue application, allowing attackers to inject arbitrary HTML or JavaScript code into web pages. When unsuspecting users interact with the compromised interface, the malicious script executes in their browser context, facilitating:

  • Cross-Site Scripting (XSS) attacks
  • Session cookie theft
  • Phishing or redirection to malicious sites
  • Defacement of web interfaces

At the time of publication, no CVE ID has been assigned to this vulnerability. INCIBE-CERT has classified the risk as high severity due to the potential for widespread exploitation in enterprise environments.

Impact Analysis

Organizations using Bdtask Isshue for project management or issue tracking are at risk of:

  • Unauthorized access to sensitive data via stolen session tokens
  • Compromised user accounts through credential harvesting
  • Reputation damage due to defaced or manipulated web interfaces
  • Compliance violations if exploited to exfiltrate regulated data

The vulnerability is particularly concerning for teams relying on Isshue for internal collaboration, as it could serve as an entry point for broader network compromise.

Recommendations

INCIBE-CERT advises security teams to take the following actions:

  1. Apply patches immediately once Bdtask releases an update addressing the flaw.
  2. Implement Content Security Policy (CSP) headers to mitigate XSS risks.
  3. Monitor web traffic for unusual script execution or outbound connections.
  4. Educate users on recognizing phishing attempts or suspicious links.
  5. Restrict access to Isshue instances to trusted networks until remediation is complete.

For further details, refer to the original INCIBE-CERT advisory.

This is a developing story. Updates will be provided as more information becomes available.

Share

TwitterLinkedIn