CVE-2025-28254 Information

Description

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().

Reference

https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128 https://github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50 https://github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp