Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R assigned because victims must navigate to the work package to trigger the payload, contra the official UI:N; all other metrics align with the provided vector.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions - including redirect_to - in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.
AnalysisAI
Stored XSS in OpenProject's HTML sanitizer allows authenticated project contributors to execute arbitrary Turbo Stream actions - including forced redirects - in every other user's authenticated browser session. The sanitizer's :data wildcard for <macro> elements permits injection of data-controller attributes that Stimulus.js silently mounts, chaining an attacker-uploaded attachment through renderStreamMessage() to achieve cross-user session manipulation without victim interaction beyond viewing the work package. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a low-privilege authenticated account in the target OpenProject instance with at minimum the permission to edit work package descriptions in at least one project (typically Contributor or Member role). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N scores 6.4, and the S:C (scope change) reflects the cross-user nature of stored XSS correctly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated OpenProject project member with contributor-level access edits a work package description and injects `<macro data-controller="poll-for-changes" data-poll-for-changes-url-value="/api/v3/attachments/ATTACKER_ID/content">` pointing to a previously uploaded attachment containing crafted Turbo Stream markup with a `redirect_to` action targeting an attacker-controlled phishing server. When any other project member opens the work package in their browser, Stimulus.js silently mounts the `poll-for-changes` controller, fetches the malicious attachment, and `renderStreamMessage()` executes the redirect, sending the victim's authenticated session context to the attacker's server. … |
| Remediation | Upgrade to OpenProject 17.3.3 (stable) or 17.4.1 (development) as confirmed by the vendor advisory at https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39871