mediumCVE-2026-5005

OKRs & Goals Stored Cross-Site Scripting Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS. This issue affects OKRs & Goals: from 28220 before 28398.

ProductOKRs & Goals
CVSS5.4
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • OKRs & Goals from 28220 before 28398

Fixed versions

  • 28398

How to fix it

OKRs & Goals is affected by stored cross-site scripting in versions from 28220 before 28398. Upgrade to version 28398 or later and review user-controlled fields that can render in shared pages. Treat this as a session and content integrity issue for teams that use the product in browsers with authenticated users.

  1. Inventory OKRs & Goals deployments and identify versions from 28220 before 28398.
  2. Upgrade affected deployments to version 28398 or later.
  3. Review custom fields, objective text, comments, rich text inputs, and imported content for unsafe HTML or script payloads.
  4. Enable output encoding, HTML sanitization, and a restrictive Content Security Policy where supported.
  5. Clear application caches and browser-facing cached pages after removing injected content.
  6. Review access logs and audit records for suspicious stored payload creation or repeated page loads by privileged users.
  7. Rotate administrator sessions or credentials if stored XSS was used against privileged users.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the running OKRs & Goals version is 28398 or later.
  • Validate script payloads are escaped or removed in all affected fields.
  • Review audit logs for stored XSS attempts and privileged user exposure.
  • Test normal objective, goal, comment, and reporting workflows after the update.
  • Run a Fixnx scan and confirm public pages do not expose unsafe script execution.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-5005?

Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals versions listed as affected should be reviewed: OKRs & Goals from 28220 before 28398.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.