CVE-2025-28254
Description
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated stored XSS in Leantime ≤ v3.2.1 via `processMentions()` allows arbitrary code execution through the first name field.
Vulnerability
Description
A stored cross-site scripting (XSS) vulnerability exists in Leantime versions 3.2.1 and earlier. The flaw resides in the processMentions() function within the notification service, where the user's first name field is insufficiently sanitized before being included in email notifications. An authenticated attacker can inject arbitrary JavaScript or HTML into their own first name, which is then stored and later rendered in messages sent to other users via the notification system. [1][2]
Attack
Vector and Prerequisites
Exploitation requires a valid Leantime account with the ability to edit the user's profile, specifically the first name field. The attack is authenticated but no special administrative privileges are required; any standard user can modify their own first name. When the attacker triggers a mention (e.g., by using the @username syntax in a comment or task description), the processMentions() function processes the notification and includes the unsanitized first name. This malicious payload is then delivered to the intended recipient(s) through the application's in-app or email notification system. The attack is therefore server-side stored and executed in the context of the victim's session when they view the notification. [3][4]
Impact
A successful exploit allows an authenticated attacker to execute arbitrary HTML and JavaScript in the browser of any user who receives a notification containing the crafted mention. This can lead to session hijacking, data exfiltration, manipulation of the user interface, and theft of sensitive information accessible to the victim within the Leantime application. Since the payload is stored in the database and persists until the affected user updates their first name, the attack can affect multiple victims over time. [2][4]
Mitigation
Status
The vulnerability is present in Leantime versions 3.2.1 and earlier. Users should upgrade to a patched version as soon as it becomes available. The project maintainers have acknowledged the issue and a security advisory (GHSA-95j3-435g-vjcp) has been published. Until an official patch is applied, administrators can mitigate the risk by restricting profile editing privileges or by implementing a web application firewall (WAF) rule to block XSS payloads in the first name field, though these are not complete solutions. [1][4]
- GitHub - Leantime/leantime: Leantime is a goals focused project management system for non-project managers. Building with ADHD, Autism, and dyslexia in mind.
- NVD - CVE-2025-28254
- leantime/app/Domain/Notifications/Services/Notifications.php at 0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7 · Leantime/leantime
- HTML Injection in Email Notifications
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
leantime/leantimePackagist | < 3.3 | 3.3 |
Affected products
3Patches
1ce1d2073e460html entities around firstname in emails to prevent html from showing up
1 file changed · +1 −1
app/Domain/Notifications/Services/Notifications.php+1 −1 modified@@ -93,7 +93,7 @@ public function processMentions(string $content, string $module, int $moduleId, $links = $dom->getElementsByTagName('a'); $author = $this->userRepository->getUser($authorId); - $authorName = $author['firstname'] ?? $this->language->__('label.team_mate'); + $authorName = htmlentities($author['firstname']) ?? $this->language->__('label.team_mate'); for ($i = 0; $i < $links->count(); $i++) { $taggedUser = $links->item($i)->getAttribute('data-tagged-user-id');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-95j3-435g-vjcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-28254ghsaADVISORY
- github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.phpghsaWEB
- github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50ghsaWEB
- github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcpghsaWEB
News mentions
0No linked articles in our index yet.