CVE-2026-28116: Stored XSS in Emilia Projects Progress Planner 1.9.0 and Earlier
Emilia Projects Progress Planner versions 1.9.0 and earlier contain a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the application. When other users view affected pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further lateral movement within the application environment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS. This issue affects Progress Planner: from n/a through 1.9.0.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-28116 is a stored XSS vulnerability (CWE-79) in Progress Planner arising from improper input sanitization during web page generation. The vulnerability requires high-privilege authentication (administrator role) and user interaction to exploit. The attack vector is network-based with low attack complexity. The vulnerability affects confidentiality, integrity, and availability with limited scope, resulting in a CVSS 3.1 score of 5.9 (Medium severity).
Business impact
This vulnerability primarily threatens organizations using Progress Planner where administrative accounts may be compromised or where insider threats exist. Successful exploitation could lead to unauthorized data exposure, modification of project data, or disruption of planning workflows. The requirement for high-privilege access limits the immediate risk surface, but compromised admin credentials represent a material attack path. Organizations should evaluate whether their access controls and administrative monitoring adequately detect such attacks.
Affected systems
Progress Planner versions from the earliest tracked version through 1.9.0 are affected by this vulnerability. Organizations running Progress Planner should audit their deployment versions immediately. The vendor has not released information on patch availability at this time; consult the official Emilia Projects advisory for the latest remediation status.
Exploitability
Exploitation requires administrator-level access to the Progress Planner application and user interaction (such as a victim visiting an affected page). While the network attack surface is broad, the high-privilege requirement significantly constrains real-world attack scenarios. This is not an unauthenticated remote code execution vulnerability. Threat actors would need either stolen admin credentials or insider cooperation to mount an attack.
Remediation
First, identify all Progress Planner instances in your environment and determine their version numbers. Verify patch availability from Emilia Projects. If a patch exists for versions above 1.9.0, upgrade as soon as possible. If no patch is available, implement compensating controls: restrict administrative access to trusted networks only, enable detailed audit logging of administrative actions, and monitor for unusual script injection patterns in application logs.
Patch guidance
Verify the latest patch status directly with Emilia Projects. Organizations should prepare upgrade testing in a staging environment before production deployment. Given the stored XSS nature, a patched version should be treated as high-priority after release. Ensure administrative accounts are reviewed for unauthorized modifications prior to patching, as injected scripts may have already been deployed.
Detection guidance
Monitor Progress Planner application logs for suspicious script tags or encoded payloads in user input fields and saved project data. Look for unusual administrative account activity, particularly creation or modification of project elements containing JavaScript or HTML markup. Network-based detection should focus on identifying access to Progress Planner from unexpected administrative locations or at unusual times. Query the application's data store for common XSS payloads in stored fields if direct logging is unavailable.
Why prioritize this
Although rated CVSS 5.9 (Medium), this vulnerability warrants prompt remediation because stored XSS in administrative interfaces can serve as a persistence mechanism for attackers. The requirement for high-privilege access means this is lower priority than remote unauthenticated vulnerabilities, but the potential for lateral movement and data exfiltration justifies treating it as a near-term fix. Organizations should prioritize this within their medium-severity queue, particularly if they have identified historical admin account compromises.
Risk score, explained
The CVSS 5.9 score reflects the combination of network accessibility, low attack complexity, but high-privilege requirement and required user interaction. While the scope is changed (cross-context impact is possible), the confidentiality, integrity, and availability impacts are individually classified as low. The stored nature of the XSS elevates risk compared to reflected variants, as the attack persists and affects multiple users over time.
Frequently asked questions
Do I need to patch immediately if I'm using Progress Planner 1.9.0?
You should treat this as a near-term priority, but not a critical emergency. Begin planning an upgrade or patch deployment and audit administrative accounts for unauthorized modifications. The high-privilege requirement means most organizations are not immediately at risk unless they have evidence of compromised admin credentials or documented insider threats.
What is the difference between this stored XSS and other XSS vulnerabilities?
Stored XSS persists in the application database or files, affecting any user who views the compromised content—not just the attacker or a single victim. This makes it more dangerous than reflected XSS because the malicious script is replayed repeatedly without requiring the attacker to send a new link. However, this vulnerability still requires high-privilege access to store the payload initially.
Can this vulnerability lead to remote code execution on the server?
No. This vulnerability is limited to client-side script execution within the victim's browser. It cannot directly execute code on the Progress Planner server. However, the injected script could be used to harvest session tokens, steal credentials, or perform actions on behalf of the logged-in user, which might indirectly lead to further compromise.
How do I check if my Progress Planner instance has been exploited?
Review administrative activity logs for unusual project modifications or data entries containing script tags, encoded payloads, or suspicious HTML. Audit the application's stored project data for entries that contain JavaScript keywords or event handlers (onclick, onload, etc.). If you find suspicious entries, assume the compromised admin account was active during that period and investigate for other signs of unauthorized access.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch availability, timelines, and technical details may change; consult official Emilia Projects advisories for authoritative guidance. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific deployment, access controls, and threat model. SEC.co does not guarantee the completeness or accuracy of third-party vendor responses or patch release schedules. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1