GHSA-v4q9-437p-mhpg: Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)

February 21, 2025 (updated October 31, 2025)

A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET[“id”] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.

References

github.com/Leantime/leantime
github.com/Leantime/leantime/security/advisories/GHSA-v4q9-437p-mhpg
github.com/advisories/GHSA-v4q9-437p-mhpg

Code Behaviors & Features

Detect and mitigate GHSA-v4q9-437p-mhpg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →