Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-28254

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

Published

2025-03-28T21:15:17.710

Last Modified

2025-04-07T14:42:18.000

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	leantime	leantime	< 3.3.0	Yes

References

https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128 Product ([email protected])
https://github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50 Patch ([email protected])
https://github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp Vendor Advisory ([email protected])