{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28274", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.734Z", "datePublished": "2026-02-26T22:55:01.751Z", "dateUpdated": "2026-02-27T17:48:34.045Z"}, "containers": {"cna": {"title": "Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584"}, {"name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"}], "affected": [{"vendor": "Morelitea", "product": "initiative", "versions": [{"version": "< 0.32.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:55:01.751Z"}, "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the \"Initiatives\" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue."}], "source": {"advisory": "GHSA-v38c-x27x-p584", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:47:00.683761Z", "id": "CVE-2026-28274", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:48:34.045Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the \"Initiatives\" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue."}, {"lang": "es", "value": "Initiative es una plataforma de gesti\u00f3n de proyectos autohospedada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 son vulnerables a Cross-Site Scripting Almacenado (XSS) en la funcionalidad de carga de documentos. Cualquier usuario con permisos de carga dentro de la secci\u00f3n 'Initiatives' puede cargar un archivo .html o .htm malicioso como documento. Debido a que el archivo HTML cargado se sirve bajo el origen de la aplicaci\u00f3n sin un sandboxing adecuado, el JavaScript incrustado se ejecuta en el contexto de la aplicaci\u00f3n. Como resultado, los tokens de autenticaci\u00f3n, las cookies de sesi\u00f3n u otros datos sensibles pueden ser exfiltrados a un servidor controlado por el atacante. Adem\u00e1s, dado que el archivo cargado est\u00e1 alojado bajo el dominio de la aplicaci\u00f3n, simplemente compartir el enlace directo al archivo puede resultar en la ejecuci\u00f3n del script malicioso al ser accedido. La versi\u00f3n 0.32.4 corrige el problema."}], "id": "CVE-2026-28274", "lastModified": "2026-02-27T14:06:37.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:37.073", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}