CVE-2024-27474

HIGH

Leantime 3.0.6 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-27474. PoCs published by dead1nfluence.

AI-analyzed exploit summary This repository contains a writeup describing three vulnerabilities (CSRF, HTML injection, and XSS) in Leantime 3.0.6, including CVE-2024-27474, which allows privilege escalation to administrator via CSRF.

Description

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.

Exploits (1)

nomisec WRITEUP
by dead1nfluence · poc
https://github.com/dead1nfluence/Leantime-POC

This repository contains a writeup describing three vulnerabilities (CSRF, HTML injection, and XSS) in Leantime 3.0.6, including CVE-2024-27474, which allows privilege escalation to administrator via CSRF.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Leantime 3.0.6
No auth needed
Prerequisites: Access to a vulnerable Leantime instance · Ability to trick a user into interacting with malicious content
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0065
EPSS Percentile 46.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (1)
leantime/leantime 3.0.6
Published Apr 10, 2024
Tracked Since Feb 18, 2026