CVE-2026-1598 is a cross-site scripting vulnerability identified in the Bdtask Bhojon All-In-One Restaurant Management System, specifically affecting versions up to 20260116. The vulnerability resides in the User Information Module, within the /dashboard/home/profile endpoint, where the 'fullname' parameter is improperly sanitized or validated. This allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser when they access a crafted URL or manipulated input. The vulnerability is remotely exploitable without requiring authentication, though it requires user interaction to trigger the malicious payload. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the ease of exploitation (network vector, low attack complexity) but limited impact on confidentiality and integrity (limited integrity impact, no availability or confidentiality impact). The vendor was notified but has not issued a patch or response, and public exploit code is available, increasing the risk of exploitation. This type of XSS can be leveraged for session hijacking, phishing, or delivering further malware, potentially compromising user accounts and sensitive data within the restaurant management system. The lack of vendor response and patch availability necessitates immediate mitigation steps by users of the software.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts in the context of authenticated users of the Bhojon system. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, and phishing attacks targeting restaurant staff or administrators. Given the system manages restaurant operations, compromise could disrupt business processes, lead to data leakage of customer or employee information, and damage organizational reputation. Although the vulnerability does not directly affect system availability or integrity at a broad level, the indirect consequences of successful exploitation can be significant, especially if attackers leverage the access to pivot to other internal systems or exfiltrate sensitive data. Organizations worldwide using this software, particularly those with web-facing management portals, face increased risk until a patch is released.

Since no official patch or vendor response is available, organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on the 'fullname' parameter at the web application firewall (WAF) or reverse proxy level to block malicious script payloads; 2) Employing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in the browser; 3) Educating users to avoid clicking on suspicious links or URLs related to the system; 4) Monitoring web server logs for unusual requests targeting the vulnerable endpoint; 5) Restricting access to the /dashboard/home/profile page to trusted IPs or VPN users where feasible; 6) Implementing multi-factor authentication to reduce impact of session hijacking; 7) Regularly backing up system data to enable recovery if compromise occurs; 8) Planning for rapid patch deployment once the vendor releases an update. Additionally, organizations should consider isolating the Bhojon system from critical internal networks to limit lateral movement.