Home / Vulnerability Intelligence / CVE-2026-28274

CVE-2026-28274 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: February 27, 2026

Initiative - Stored XSS

Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

Initiative < 0.32.4 contains a stored XSS caused by improper sanitization of uploaded .html/.htm files in document upload, letting users with upload permissions execute scripts in application context, exploit requires upload permissions.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 6.8%(Probability of exploitation in next 30 days)

Impact

Attackers with upload permissions can execute scripts to steal authentication tokens and session cookies, compromising user accounts and data.

Mitigation

Upgrade to version 0.32.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 27, 2026

🟠 CVE-2026-28274 - High (8.7) Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28274/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28274
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: confirmed
EPSS: 6.8%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

6.8%Probability of exploitation in the next 30 days