Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Network-accessible web app, low-privilege write access required (PR:L), victim must view content (UI:R), integrity-only UI manipulation impact with no confirmed confidentiality or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
AnalysisAI
CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated OpenProject account with write access to at least one formattable text field - specifically work package descriptions, work package comments, project descriptions, or news items. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) scores 5.7 (Medium), reflecting a network-exploitable flaw requiring low privileges and victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated OpenProject user with write access to a shared project crafts a work package description containing an img or table element with a style attribute using position:fixed, top:0, left:0, width:100vw, height:100vh to overlay a fake login prompt over the entire viewport. When a colleague or project manager opens the work package, the CSS renders in their browser, presenting a phishing interface that mimics the OpenProject login page to harvest credentials. … |
| Remediation | Upgrade to OpenProject 17.4.0 or later, which replaces the overly permissive Sanitize::Config::RELAXED[:css] configuration with a restrictive CSS allowlist. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39878