FKIE_CVE-2026-28274

Vulnerability from fkie_nvd - Published: 2026-02-26 23:16 - Updated: 2026-02-27 19:07
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
References
security-advisories@github.comhttps://github.com/Morelitea/initiative/releases/tag/v0.32.4Product, Release Notes
security-advisories@github.comhttps://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584Exploit, Vendor Advisory
Impacted products
Vendor Product Version
morelitea initiative *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "14E07E5B-5651-4A27-86E2-CE508B70B3B6",
              "versionEndExcluding": "0.32.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the \"Initiatives\" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application\u0027s origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application\u0027s domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Initiative es una plataforma de gesti\u00f3n de proyectos autohospedada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 son vulnerables a Cross-Site Scripting Almacenado (XSS) en la funcionalidad de carga de documentos. Cualquier usuario con permisos de carga dentro de la secci\u00f3n \u0027Initiatives\u0027 puede cargar un archivo .html o .htm malicioso como documento. Debido a que el archivo HTML cargado se sirve bajo el origen de la aplicaci\u00f3n sin un sandboxing adecuado, el JavaScript incrustado se ejecuta en el contexto de la aplicaci\u00f3n. Como resultado, los tokens de autenticaci\u00f3n, las cookies de sesi\u00f3n u otros datos sensibles pueden ser exfiltrados a un servidor controlado por el atacante. Adem\u00e1s, dado que el archivo cargado est\u00e1 alojado bajo el dominio de la aplicaci\u00f3n, simplemente compartir el enlace directo al archivo puede resultar en la ejecuci\u00f3n del script malicioso al ser accedido. La versi\u00f3n 0.32.4 corrige el problema."
    }
  ],
  "id": "CVE-2026-28274",
  "lastModified": "2026-02-27T19:07:37.763",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T23:16:37.073",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.