CVE-2026-28274 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 and CWE-434, impacting the Morelitea initiative, a self-hosted project management platform. Versions prior to 0.32.4 allow any user with upload permissions in the "Initiatives" section to upload malicious `.html` or `.htm` files. These files are served directly from the application’s domain without sandboxing or proper input neutralization, enabling embedded JavaScript to execute in the security context of the application. This execution can lead to theft of sensitive information such as authentication tokens and session cookies, potentially allowing attackers to hijack user sessions or perform actions on behalf of victims. The vulnerability requires the attacker to have upload permissions and some user interaction (e.g., a victim accessing the malicious file link). The scope of impact is significant because the malicious content is hosted under the trusted application origin, bypassing same-origin policy protections. The vulnerability has a CVSS 3.1 base score of 8.7 (high severity), reflecting its ease of exploitation over the network with low complexity and the potential for high confidentiality and integrity impact. The vulnerability was publicly disclosed on February 26, 2026, and fixed in version 0.32.4 of the initiative platform. No known exploits in the wild have been reported yet.

This vulnerability poses a serious risk to organizations using the Morelitea initiative platform, especially those running versions prior to 0.32.4. Exploitation can lead to theft of session cookies and authentication tokens, enabling attackers to impersonate legitimate users, escalate privileges, or access sensitive project management data. This can result in unauthorized data disclosure, manipulation of project information, and potential disruption of business operations. Since the malicious HTML files are served from the application’s domain, the attack bypasses many browser security controls, increasing the likelihood of successful exploitation. Organizations with multiple users having upload permissions are at higher risk, as any compromised user account can be leveraged to upload malicious files. The vulnerability also undermines user trust and may lead to compliance issues if sensitive data is exposed. Although no exploits are currently known in the wild, the ease of exploitation and high impact make this a critical issue to address promptly.

To mitigate this vulnerability, organizations should immediately upgrade the Morelitea initiative platform to version 0.32.4 or later, where the issue is fixed. Until upgrading, restrict document upload permissions strictly to trusted users with a demonstrated need. Implement additional controls such as file type validation to block `.html` and `.htm` files from being uploaded. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and restrict resource loading to trusted domains. Consider sandboxing uploaded documents or serving them from a separate domain or subdomain to isolate them from the main application origin, preventing script execution in the application context. Regularly audit user permissions and monitor logs for suspicious upload activity. Educate users about the risks of clicking on untrusted links, especially those pointing to uploaded documents. Finally, conduct security testing and code reviews focused on input validation and output encoding to prevent similar vulnerabilities in the future.