CVE-2026-28274

CVE-2026-28274 is a stored cross-site scripting (XSS) vulnerability in the document upload functionality of Initiative, a self-hosted project management platform. Versions prior to 0.32.4 are affected, where users with upload permissions in the "Initiatives" section can upload malicious .html or .htm files. These files are served under the application's origin without proper sandboxing, allowing embedded JavaScript to execute in the context of the application. The vulnerability is rated with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

An attacker with low-privilege access, such as any authenticated user granted upload permissions, can exploit this by uploading a malicious HTML file containing JavaScript that exfiltrates sensitive data like authentication tokens or session cookies to an attacker-controlled server. The exploit requires user interaction, as victims must access the uploaded file, but the file's direct link can be shared easily, leading to execution under the application's domain. This results in high confidentiality and integrity impacts with a changed scope, potentially compromising other users' sessions.

The GitHub security advisory (GHSA-v38c-x27x-p584) and release notes for version 0.32.4 detail the fix, recommending immediate upgrade to Initiative 0.32.4 or later to mitigate the issue by addressing the lack of sandboxing and unsafe file serving.