CVE-2026-28275HIGH 8.1EPSS p28.5%

CVE-2026-28275CVE-2026-28275

Description

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.37% probability of exploitation · percentile 28.5% · 2026-06-19T12:03:05Z
Published2026-02-26
Last modified2026-02-27

Underlying weaknesses· 1

CWE-613

References

  1. https://github.com/Morelitea/initiative/releases/tag/v0.32.4
  2. https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28274
CVE
CVE-2025-57735
CVE
CVE-2026-42280
CVE
CVE-2026-26060
CVE
CVE-2026-1529
CVE
CVE-2026-43983
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.