CVE-2026-32703
MEDIUM EPSS 8.7%
Published Mar 18, 20263mo ago · Modified Mar 19, 20263mo ago
5.4 CVSS 3.1
Published Mar 18, 2026 3mo ago
Last Modified Mar 19, 2026 3mo ago
Description
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
8.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 4
| Vendor | Product | Version | Range |
|---|---|---|---|
| openproject | openproject | * | <16.6.9 |
| openproject | openproject | * | ≥17.0.0 – <17.0.6 |
| openproject | openproject | * | ≥17.1.0 – <17.1.3 |
| openproject | openproject | 17.2.0 | any |
References 1
- github.com https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.