{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T21:56:55.273","vulnerabilities":[{"cve":{"id":"CVE-2026-31874","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T19:16:03.970","lastModified":"2026-03-20T16:12:08.773","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account."},{"lang":"es","value":"Taskosaur es una plataforma de gestión de proyectos de código abierto con IA conversacional para la ejecución de tareas dentro de la aplicación. En la versión 1.0.0, la aplicación no valida ni restringe adecuadamente el parámetro role durante el proceso de registro de usuario. Un atacante puede modificar manualmente la carga útil de la solicitud y asignarse privilegios elevados. Dado que el backend no aplica restricciones de asignación de roles ni ignora los parámetros de rol proporcionados por el cliente, el servidor acepta el valor manipulado y crea la cuenta con privilegios SUPER_ADMIN. Esto permite a cualquier atacante no autenticado registrar una cuenta administrativa con todos los privilegios."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-639"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:taskosaur:taskosaur:1.0.0:*:*:*:*:node.js:*:*","matchCriteriaId":"89FEF05F-74B0-41FD-9845-F084FE8D8AC4"}]}]}],"references":[{"url":"https://github.com/Taskosaur/Taskosaur/commit/159a5a8f43761561100a57d34309830550028932","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/Taskosaur/Taskosaur/security/advisories/GHSA-r6gj-4663-p5mr","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}