CVE-2025-28254: Leantime affected by Improper Neutralization of HTML Tags
(updated )
HTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users’ first names. This effectively allows for the creation of phishing emails from a Leantime instance’s email address.
References
- github.com/Leantime/leantime
- github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php
- github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50
- github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp
- github.com/advisories/GHSA-95j3-435g-vjcp
- nvd.nist.gov/vuln/detail/CVE-2025-28254
Code Behaviors & Features
Detect and mitigate CVE-2025-28254 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →