EUVD-2026-12969
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
Analysis
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenProject instances and identify which versions are deployed; restrict repository push access to only trusted administrators and disable anonymous repository access if enabled. Within 7 days: Implement network segmentation to limit who can access OpenProject instances; deploy WAF rules to filter malicious HTML in repository responses; conduct user awareness training on suspicious behavior. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today