Skip to main content

Openproject CVE-2026-32703

| EUVDEUVD-2026-12969 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 GitHub_M
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
16.6.9,17.1.3,17.2.1
EUVD ID Assigned
Mar 18, 2026 - 21:29 euvd
EUVD-2026-12969
Analysis Generated
Mar 18, 2026 - 21:29 vuln.today
CVE Published
Mar 18, 2026 - 21:04 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

AnalysisAI

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker pushes commit with HTML-injected filename
Exploit
Filename displayed unescaped in Repositories page
Execution
XSS payload executes in victim's browser
Impact
Attacker steals session/credentials or performs actions as victim

Vulnerability AssessmentAI

Exploitation Attacker requires push access to a repository in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, or 17.2.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) indicates this is a network-exploitable vulnerability with low attack complexity, requiring low privileges (repository push access) and user interaction (viewing the malicious changeset). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with repository push access creates a commit containing a file with a malicious filename such as '<img src=x onerror=alert(document.cookie)>.txt', then deletes this file in a subsequent commit. When a project administrator or team member navigates to the Repositories page to review recent changesets, the malicious JavaScript executes in their browser context, potentially stealing session cookies, performing actions as the victim user, or exfiltrating sensitive project data. …
Remediation Upgrade OpenProject to version 16.6.9, 17.0.6, 17.1.3, or 17.2.1 depending on your release branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenProject instances and current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-24772 HIGH
8.9 Jan 28

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke

CVE-2026-24685 HIGH
8.8 Jan 28

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse

CVE-2026-52784 HIGH
8.8 Jun 26

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id c

CVE-2026-23625 HIGH
8.7 Jan 19

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through

Share

CVE-2026-32703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy