CVE-2026-28274
Published: 26 February 2026
Summary
CVE-2026-28274 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Morelitea Initiative. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the upload of malicious .html or .htm files by validating document inputs for dangerous content or file types.
Filters or sanitizes output when serving user-uploaded HTML files to neutralize embedded JavaScript and prevent XSS execution in the application's context.
Requires timely flaw remediation by patching to version 0.32.4 or later, which fixes the lack of sandboxing and unsafe serving of uploaded HTML files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability via unrestricted HTML file upload directly enables exploitation of a public-facing web application (T1190), execution of arbitrary JavaScript in the victim context (T1059.007), and theft of web session cookies or tokens as explicitly described.
NVD Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html`…
more
or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
Deeper analysisAI
CVE-2026-28274 is a stored cross-site scripting (XSS) vulnerability in the document upload functionality of Initiative, a self-hosted project management platform. Versions prior to 0.32.4 are affected, where users with upload permissions in the "Initiatives" section can upload malicious .html or .htm files. These files are served under the application's origin without proper sandboxing, allowing embedded JavaScript to execute in the context of the application. The vulnerability is rated with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An attacker with low-privilege access, such as any authenticated user granted upload permissions, can exploit this by uploading a malicious HTML file containing JavaScript that exfiltrates sensitive data like authentication tokens or session cookies to an attacker-controlled server. The exploit requires user interaction, as victims must access the uploaded file, but the file's direct link can be shared easily, leading to execution under the application's domain. This results in high confidentiality and integrity impacts with a changed scope, potentially compromising other users' sessions.
The GitHub security advisory (GHSA-v38c-x27x-p584) and release notes for version 0.32.4 detail the fix, recommending immediate upgrade to Initiative 0.32.4 or later to mitigate the issue by addressing the lack of sandboxing and unsafe file serving.
Details
- CWE(s)