GHSA-qrfh-cc86-vc8c: Leantime has HTML injection through firstname and lastname fields

March 5, 2026

Leantime v2.3.27 is vulnerable to Stored HTML Injection. The firstname and lastname fields in the admin user edit page are rendered without HTML escaping, allowing an authenticated user to inject arbitrary HTML that executes when the profile is viewed.

References

github.com/Leantime/leantime
github.com/Leantime/leantime/commit/3f8b2c6346111694bb18cec558b27c22d3a2b9d1
github.com/Leantime/leantime/security/advisories/GHSA-qrfh-cc86-vc8c
github.com/advisories/GHSA-qrfh-cc86-vc8c

Code Behaviors & Features

Detect and mitigate GHSA-qrfh-cc86-vc8c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →