Leantime < 2.4 - Authenticated SQL Injection

Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...

Leantime has HTML injection through firstname and lastname fields

Summary Leantime v2.3.27 is vulnerable to Stored HTML Injection. The firstname and lastname fields in the admin user edit page are rendered without HTML escaping, allowing an authenticated user to inject arbitrary HTML that executes when the profile is viewed. Vulnerable File...

EUVD-2020-26486

Malware in sbrugna...

EUVD-2025-4468

Malicious code in bioql PyPI...

EUVD-2025-4465

Malicious code in bioql PyPI...

EUVD-2025-4461

Malicious code in bioql PyPI...

EUVD-2025-4469

Malicious code in bioql PyPI...

EUVD-2025-4471

Malicious code in bioql PyPI...

EUVD-2025-4470

Malicious code in bioql PyPI...

EUVD-2025-4460

Malicious code in bioql PyPI...

EUVD-2025-8662

Malicious code in bioql PyPI...

EUVD-2025-4464

Malicious code in bioql PyPI...

EUVD-2025-4467

Malicious code in bioql PyPI...

EUVD-2025-4466

Malicious code in bioql PyPI...

CVE-2024-27474

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery CSRF. This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators...

CVE-2024-27477

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets also known as to-dos. This stored XSS vulnerability can be exploited to perform...

CVE-2024-27476

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show/tickets/newTicket...

CVE-2024-27705

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint...

CVE-2024-27703

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter...

CVE-2023-33961

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time ...