What is the CVSS score of CVE-2026-28274?

CVE-2026-28274 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Initiative are affected by CVE-2026-28274?

Initiative project management instances running versions before 0.32.4 are vulnerable to stored XSS attacks through document uploads, allowing attackers to execute malicious code in users' browsers…

Is there a public PoC exploit available for CVE-2026-28274?

Yes, a public proof-of-concept exploit is available for CVE-2026-28274. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-28274?

Within 24 hours: Disable document upload functionality in Initiative or restrict access to trusted users only, and inventory all Initiative deployments with affected versions. Within 7 days: Monitor for exploitation attempts in access logs, implement input validation rules at the WAF level to block suspicious file uploads, and communicate risk status to stakeholders. Within 30 days: Upgrade to Initiative 0.32.4 or later as soon as available, or migrate to alternative project management platforms if patching timelines are unacceptable.

Initiative CVE-2026-28274

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-26 security-advisories@github.com

XSS Initiative

8.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 19:07 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 8.7

DescriptionGitHub Advisory

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious .html or .htm file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.

AnalysisAI

Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as user with upload permissions

Delivery

Upload malicious HTML file to Initiatives section

Exploit

File served without sandboxing at application origin

Execution

Embedded JavaScript executes in victim browser context

Impact

Steal session cookies and authentication tokens