GHSA-52xf-h226-pfgx: Leantime allows Refelected Cross-Site Scripting (XSS)

February 21, 2025 (updated October 31, 2025)

The vulnerability in Leantime’s “overdue” section allows attackers to upload malicious image files containing XSS payloads. When other users view these files, the scripts execute, enabling attackers to steal sensitive information or perform unauthorized actions. Improving input validation and output encoding in the file upload process can prevent this exploit. Accessing and enhancing the relevant source code modules is crucial for addressing this security flaw effectively.

References

github.com/Leantime/leantime
github.com/Leantime/leantime/security/advisories/GHSA-52xf-h226-pfgx
github.com/advisories/GHSA-52xf-h226-pfgx

Code Behaviors & Features

Detect and mitigate GHSA-52xf-h226-pfgx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →