Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Leantime allows hackers to inject malicious HTML in user profiles
GHSA-qrfh-cc86-vc8c
Summary
Leantime versions before 3.3.0 have a security weakness that lets an attacker inject malicious HTML code into user profiles. This can lead to phishing attempts, fake login forms, and website tampering. To fix this, update to version 3.3.0 or higher, or ensure that user input is properly sanitized with the htmlspecialchars function.
What to do
- Update leantime leantime to version 3.3.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| leantime | leantime | <= 3.3.0 | 3.3.0 |
Original title
Leantime has HTML injection through firstname and lastname fields
Original description
### Summary
Leantime v2.3.27 is vulnerable to Stored HTML Injection. The `firstname` and `lastname` fields in the admin user edit page are rendered without HTML escaping, allowing an authenticated user to inject arbitrary HTML that executes when the profile is viewed.
### Vulnerable File
`app/Domain/Users/Templates/editUser.tpl.php`
### Vulnerable Code (Lines ~14-17)
```php
value="<?php echo $values['firstname'] ?>"
value="<?php echo $values['lastname'] ?>"
```
These fields output raw user input without sanitization.
### Steps to Reproduce
1. Login as admin > Go to Settings > Users > Edit any user
2. Enter HTML payload in First Name or Last Name field:
`<h1>INJECTED</h1>`
3. Save the user profile
4. Create or view an article — the injected HTML renders in the author name
### Fix
Replace unescaped `echo` with `htmlspecialchars()`:
```php
value="<?php echo htmlspecialchars($values['firstname'], ENT_QUOTES, 'UTF-8') ?>"
value="<?php echo htmlspecialchars($values['lastname'], ENT_QUOTES, 'UTF-8') ?>"
```
Or use the existing `$this->e()` helper already used in `editOwn.tpl.php`.
### Impact
- Stored HTML injection visible to all users viewing affected content
- Can be used for phishing, fake login forms, and UI defacement
- Affects all versions before 3.3.0
Leantime v2.3.27 is vulnerable to Stored HTML Injection. The `firstname` and `lastname` fields in the admin user edit page are rendered without HTML escaping, allowing an authenticated user to inject arbitrary HTML that executes when the profile is viewed.
### Vulnerable File
`app/Domain/Users/Templates/editUser.tpl.php`
### Vulnerable Code (Lines ~14-17)
```php
value="<?php echo $values['firstname'] ?>"
value="<?php echo $values['lastname'] ?>"
```
These fields output raw user input without sanitization.
### Steps to Reproduce
1. Login as admin > Go to Settings > Users > Edit any user
2. Enter HTML payload in First Name or Last Name field:
`<h1>INJECTED</h1>`
3. Save the user profile
4. Create or view an article — the injected HTML renders in the author name
### Fix
Replace unescaped `echo` with `htmlspecialchars()`:
```php
value="<?php echo htmlspecialchars($values['firstname'], ENT_QUOTES, 'UTF-8') ?>"
value="<?php echo htmlspecialchars($values['lastname'], ENT_QUOTES, 'UTF-8') ?>"
```
Or use the existing `$this->e()` helper already used in `editOwn.tpl.php`.
### Impact
- Stored HTML injection visible to all users viewing affected content
- Can be used for phishing, fake login forms, and UI defacement
- Affects all versions before 3.3.0
ghsa CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026