CVE-2026-59097
Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
02/07/2026
Última modificación:
02/07/2026
Descripción
*** Pendiente de traducción *** Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.
Impacto
Puntuación base 4.0
6.90
Gravedad 4.0
MEDIA
Puntuación base 3.x
5.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/taigaio/taiga-back/commit/f925af424623350e04d4abc45bf1dc70e70c48a9
- https://github.com/taigaio/taiga-back/issues/244
- https://github.com/taigaio/taiga-back/pull/245
- https://github.com/taigaio/taiga-back/releases/tag/6.10.2
- https://www.vulncheck.com/advisories/taiga-unauthorized-due-date-creation-via-api-viewsets



