Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft
Action: Immediate patch
AI Analysis

Impact

Initiative, a self‑hosted project management platform, is affected by a stored cross‑site scripting flaw in its document upload feature. Versions prior to 0.32.4 allow users with upload rights to place a malicious .html or .htm file that the application serves from its own domain. The embedded JavaScript runs in the context of the application, permitting an attacker to capture authentication tokens, session cookies, or other sensitive data and send it to a remote server, thereby achieving credential theft and data exfiltration. Because the file is hosted under the application’s domain, any user who opens a shared link can trigger the same attack, magnifying the potential impact.

Affected Systems

Morelitea Initiative is the affected product. All releases earlier than version 0.32.4 are impacted. Users who run the Initiatives section and have upload permissions are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score of <1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. An attacker who can upload documents, such as an insider or a compromised user, can deliver the malicious file. Once a user opens the file, the script executes in their browser session, enabling the attacker to exfiltrate authentication tokens, session cookies, or other sensitive data.

Generated by OpenCVE AI on April 18, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Initiative to version 0.32.4 or later to eliminate the XSS vulnerability.
  • Restrict upload permissions for the Initiatives section to trusted users only and block the upload of .html/.htm files until the patch is applied.
  • If upgrading is delayed, enforce a strict content security policy and prevent uploaded files from being served under the application’s origin to limit the exposure of stored XSS payloads.

Generated by OpenCVE AI on April 18, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Morelitea
Morelitea initiative
Vendors & Products Morelitea
Morelitea initiative

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.
Title Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Morelitea Initiative
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:48:34.045Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28274

cve-icon Vulnrichment

Updated: 2026-02-27T17:48:19.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.073

Modified: 2026-02-27T19:07:37.763

Link: CVE-2026-28274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses