Skip to main content

OpenProject CVE-2026-52781

| EUVDEUVD-2026-39871 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 GitHub_M
6.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R assigned because victims must navigate to the work package to trigger the payload, contra the official UI:N; all other metrics align with the provided vector.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 21:02 EUVD
Analysis Generated
Jun 26, 2026 - 19:51 vuln.today

DescriptionCVE.org

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions - including redirect_to - in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.

AnalysisAI

Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's :data wildcard for <macro> elements permits injection of data-controller attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through renderStreamMessage() to achieve cross-user session manipulation without victim interaction beyond viewing the work package. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privilege project contributor
Delivery
Upload malicious Turbo Stream attachment to OpenProject
Exploit
Inject data-controller attribute into work package description via macro element
Install
Victim navigates to affected work package
C2
Stimulus.js auto-mounts poll-for-changes controller
Execute
Controller fetches attacker attachment and calls renderStreamMessage()
Impact
Victim browser executes redirect_to attacker-controlled server

Vulnerability AssessmentAI

Exploitation The attacker must hold a low-privilege authenticated account in the target OpenProject instance with at minimum the permission to edit work package descriptions in at least one project (typically Contributor or Member role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N scores 6.4, and the S:C (scope change) reflects the cross-user nature of stored XSS correctly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated OpenProject project member with contributor-level access edits a work package description and injects `<macro data-controller="poll-for-changes" data-poll-for-changes-url-value="/api/v3/attachments/ATTACKER_ID/content">` pointing to a previously uploaded attachment containing crafted Turbo Stream markup with a `redirect_to` action targeting an attacker-controlled phishing server. When any other project member opens the work package in their browser, Stimulus.js silently mounts the `poll-for-changes` controller, fetches the malicious attachment, and `renderStreamMessage()` executes the redirect, sending the victim's authenticated session context to the attacker's server. …
Remediation Upgrade to OpenProject 17.3.3 (stable) or 17.4.1 (development) as confirmed by the vendor advisory at https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-11600 HIGH POC
8.1 May 13

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi

CVE-2023-33960 HIGH POC
7.5 Jun 01

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp

CVE-2023-31140 MEDIUM POC
6.5 May 08

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

Share

CVE-2026-52781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy