CVE-2025-28254

MEDIUM

Leantime < 3.3.0 - Authenticated Stored Cross-Site Scripting via First Name Field in processMentions()

Title source: llm
STIX 2.1

Description

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

Scores

CVSS v3 5.4
EPSS 0.0030
EPSS Percentile 21.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
leantime/leantime < 3.3.0
leantime/leantime 0 - 3.3Packagist
Published Mar 28, 2025
Tracked Since Feb 18, 2026