CVE-2026-1598 identifies a cross-site scripting (XSS) vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System, version up to 20260116. The flaw exists in the User Information Module within the /dashboard/home/profile endpoint, where the 'fullname' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript code. This vulnerability can be exploited remotely without authentication, although it requires user interaction (e.g., a victim clicking a crafted link or viewing a malicious payload). The vulnerability impacts the confidentiality and integrity of user sessions by enabling attackers to execute arbitrary scripts in the context of the victim's browser. The vendor was notified early but has not issued any patches or responses, and no official remediation is currently available. The CVSS 4.0 score is 5.1 (medium severity), reflecting the ease of remote exploitation and potential impact but limited by the need for user interaction and lack of privilege escalation. The exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability does not affect availability and does not require privileges or authentication, making it a moderate risk for affected deployments. Given the nature of the Bhojon system as a restaurant management platform, exploitation could lead to theft of user credentials, session hijacking, or further attacks on the backend systems.

For European organizations using the Bhojon All-In-One Restaurant Management System, this XSS vulnerability poses significant risks to user data confidentiality and integrity. Attackers could hijack user sessions, steal credentials, or perform unauthorized actions on behalf of legitimate users, potentially leading to data breaches or fraud. In the hospitality sector, compromised systems could disrupt operations, damage customer trust, and lead to regulatory penalties under GDPR if personal data is exposed. The lack of vendor response and patch availability increases the window of exposure. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to exploit it. The impact is particularly critical for organizations with public-facing dashboards or user profile management features accessible to multiple users or customers. Additionally, attackers might leverage this vulnerability as a foothold for further network intrusion or lateral movement within the organization’s IT environment.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply strict input validation and output encoding on the 'fullname' parameter at the application or web server level to neutralize malicious scripts. Employ a robust Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the affected endpoint. Conduct regular security awareness training to educate users about phishing and social engineering risks that could trigger exploitation. Monitor web server and application logs for unusual requests or script injection attempts. If possible, restrict access to the /dashboard/home/profile page to trusted users or IP ranges to reduce exposure. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Organizations should also engage with Bdtask to demand a timely patch and track any updates. Finally, plan for an application update or migration to a more secure platform if remediation is delayed.