CVE-2025-28254

Published: Mar 28, 2025

Modified: Apr 1, 2025

PUBLISHED

Description

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128

https://github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50

https://github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-28254

Description

Affected Products

References