Home / Vulnerability Intelligence / CVE-2026-28274

CVE-2026-28274 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: February 26, 2026

Initiative - Stored XSS

Published: February 26, 2026Updated: February 26, 2026Remote Exploitable

Overview

Initiative < 0.32.4 contains a stored XSS caused by improper sanitization of uploaded .html/.htm files in document upload, letting users with upload permissions execute scripts in application context, exploit requires upload permissions.

Severity & Score

Severity: High

CVSS Score: 8.7

Impact

Attackers with upload permissions can execute scripts to steal authentication tokens and session cookies, compromising user accounts and data.

Mitigation

Upgrade to version 0.32.4 or later.

References

https://github.com/Morelitea/initiative/releases/tag/v0.32.4
https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28274
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N