CVE-2026-28275

HIGH

Initiative < 0.32.4 - Insufficient Session Expiration via JWT Token Invalidation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-28275. PoCs published by G3XAR.

AI-analyzed exploit summary The repository contains detailed technical writeups for multiple CVEs, including CVE-2026-28275, with root cause analysis, proof-of-concept steps, and impact assessments. It provides clear exploitation steps and code snippets for XSS vulnerabilities but does not include full exploit code.

Description

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

Exploits (1)

github WRITEUP
by G3XAR · poc
https://github.com/G3XAR/Security-Research/tree/main/CVE-2026-28275

The repository contains detailed technical writeups for multiple CVEs, including CVE-2026-28275, with root cause analysis, proof-of-concept steps, and impact assessments. It provides clear exploitation steps and code snippets for XSS vulnerabilities but does not include full exploit code.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Initiative (version < 0.32.2)
Auth required
Prerequisites: User with upload permissions in the 'Initiatives' section
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0037
EPSS Percentile 28.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-613
Status published
Products (1)
morelitea/initiative < 0.32.4
Published Feb 26, 2026
Tracked Since Feb 27, 2026