CVE-2026-32703

MEDIUM EPSS 8.7%
Published Mar 18, 20263mo ago · Modified Mar 19, 20263mo ago
5.4 CVSS 3.1
Medium
Find Similar
Published Mar 18, 2026 3mo ago
Last Modified Mar 19, 2026 3mo ago

Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
8.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 4

VendorProductVersionRange
openprojectopenproject* <16.6.9
openprojectopenproject*≥17.0.0  –  <17.0.6
openprojectopenproject*≥17.1.0  –  <17.1.3
openprojectopenproject17.2.0any

References 1

  • github.com https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.