CVE-2026-28274

Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.4

Description Initiative is a self-hosted project management platform vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Users with upload permissions within the "Initiatives" section can upload malicious .html or .htm files. These files are served under the application’s origin without proper sandboxing, allowing embedded JavaScript to execute in the application’s context. This can lead to the exfiltration of authentication tokens, session cookies, or other sensitive data to an attacker-controlled server. Sharing the direct file link may also result in the execution of the malicious script when accessed.

Recommendations Upgrade to version 0.32.4 or later.