Cyber Resilience

CVE-2026-28274

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0055 41.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28274 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Morelitea Initiative. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-28274 is a stored cross-site scripting (XSS) vulnerability in the document upload functionality of Initiative, a self-hosted project management platform. Versions prior to 0.32.4 are affected, where users with upload permissions in the "Initiatives" section can upload malicious .html or .htm files. These files are served under the application's origin without proper sandboxing, allowing embedded JavaScript to execute in the context of the application. The vulnerability is rated with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

An attacker with low-privilege access, such as any authenticated user granted upload permissions, can exploit this by uploading a malicious HTML file containing JavaScript that exfiltrates sensitive data like authentication tokens or session cookies to an attacker-controlled server. The exploit requires user interaction, as victims must access the uploaded file, but the file's direct link can be shared easily, leading to execution under the application's domain. This results in high confidentiality and integrity impacts with a changed scope, potentially compromising other users' sessions.

The GitHub security advisory (GHSA-v38c-x27x-p584) and release notes for version 0.32.4 detail the fix, recommending immediate upgrade to Initiative 0.32.4 or later to mitigate the issue by addressing the lack of sandboxing and unsafe file serving.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html`…

more

or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

The stored XSS vulnerability via unrestricted HTML file upload directly enables exploitation of a public-facing web application (T1190), execution of arbitrary JavaScript in the victim context (T1059.007), and theft of web session cookies or tokens as explicitly described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28276Same product: Morelitea Initiative
CVE-2026-28275Same product: Morelitea Initiative
CVE-2026-25648Shared CWE-434, CWE-79
CVE-2025-22132Shared CWE-434, CWE-79
CVE-2026-27099Shared CWE-79
CVE-2026-25442Shared CWE-79
CVE-2026-1008Shared CWE-79
CVE-2025-23683Shared CWE-79
CVE-2025-31102Shared CWE-79
CVE-2026-33348Shared CWE-79

Affected Assets

morelitea
initiative
≤ 0.32.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the upload of malicious .html or .htm files by validating document inputs for dangerous content or file types.

prevent

Filters or sanitizes output when serving user-uploaded HTML files to neutralize embedded JavaScript and prevent XSS execution in the application's context.

prevent

Requires timely flaw remediation by patching to version 0.32.4 or later, which fixes the lack of sandboxing and unsafe serving of uploaded HTML files.

References