Skip to main content

Leantime

13 CVEs product

Monthly

CVE-2026-15510 LOW POC Monitor

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15509 LOW POC Monitor

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59712 HIGH PATCH This Week

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).

Authentication Bypass Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-59713 HIGH PATCH This Week

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. No public exploit identified at time of analysis, but a vendor patch and a public technical advisory (VulnCheck) exist; CVSS 4.0 is rated 8.6 (High).

CSRF Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-28254 PHP MEDIUM PATCH This Month

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Leantime
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-27477 MEDIUM POC This Month

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XSS Leantime
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-27476 MEDIUM POC This Month

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Leantime
NVD GitHub
CVSS 3.1
4.7
EPSS
0.6%
CVE-2024-27474 HIGH POC This Week

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Leantime
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-27705 HIGH POC This Week

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE Leantime
NVD GitHub
CVSS 3.1
7.6
EPSS
0.6%
CVE-2024-27703 MEDIUM POC This Month

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Leantime
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-45826 MEDIUM POC PATCH This Month

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

PHP SQLi Leantime
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2023-33961 MEDIUM This Month

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Leantime
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2020-5292 HIGH PATCH This Week

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Leantime
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
EPSS 0% CVSS 2.1
LOW POC Monitor

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.

Authentication Bypass Leantime
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.

Authentication Bypass Leantime
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).

Authentication Bypass Leantime
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. No public exploit identified at time of analysis, but a vendor patch and a public technical advisory (VulnCheck) exist; CVSS 4.0 is rated 8.6 (High).

CSRF Leantime
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Leantime
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XSS Leantime
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM POC This Month

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Leantime
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Leantime
NVD GitHub
EPSS 1% CVSS 7.6
HIGH POC This Week

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Leantime
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

PHP SQLi Leantime
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Leantime
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Leantime
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy