Search criteria
3 vulnerabilities by morelitea
CVE-2026-28276 (GCVE-0-2026-28276)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:57 – Updated: 2026-02-27 17:40
VLAI?
Title
Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Summary
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Morelitea | initiative |
Affected:
< 0.32.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:37:27.019868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:40:15.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "initiative",
"vendor": "Morelitea",
"versions": [
{
"status": "affected",
"version": "\u003c 0.32.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:57:36.406Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq"
},
{
"name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.2"
}
],
"source": {
"advisory": "GHSA-w34j-fx72-h2pq",
"discovery": "UNKNOWN"
},
"title": "Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28276",
"datePublished": "2026-02-26T22:57:36.406Z",
"dateReserved": "2026-02-26T01:52:58.734Z",
"dateUpdated": "2026-02-27T17:40:15.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28275 (GCVE-0-2026-28275)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:56 – Updated: 2026-02-27 17:44
VLAI?
Title
Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)
Summary
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Severity ?
8.1 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Morelitea | initiative |
Affected:
< 0.32.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28275",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:42:45.634963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:44:23.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "initiative",
"vendor": "Morelitea",
"versions": [
{
"status": "affected",
"version": "\u003c 0.32.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:56:07.815Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h"
},
{
"name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"
}
],
"source": {
"advisory": "GHSA-hww6-3fww-xw3h",
"discovery": "UNKNOWN"
},
"title": "Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28275",
"datePublished": "2026-02-26T22:56:07.815Z",
"dateReserved": "2026-02-26T01:52:58.734Z",
"dateUpdated": "2026-02-27T17:44:23.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28274 (GCVE-0-2026-28274)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:55 – Updated: 2026-02-27 17:48
VLAI?
Title
Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads
Summary
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
Severity ?
8.7 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Morelitea | initiative |
Affected:
< 0.32.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28274",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:47:00.683761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:48:34.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "initiative",
"vendor": "Morelitea",
"versions": [
{
"status": "affected",
"version": "\u003c 0.32.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the \"Initiatives\" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application\u0027s origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application\u0027s domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:55:01.751Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584"
},
{
"name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"
}
],
"source": {
"advisory": "GHSA-v38c-x27x-p584",
"discovery": "UNKNOWN"
},
"title": "Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28274",
"datePublished": "2026-02-26T22:55:01.751Z",
"dateReserved": "2026-02-26T01:52:58.734Z",
"dateUpdated": "2026-02-27T17:48:34.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}