Description
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server.
Published: 2026-01-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

OpenProject 16.3.0 through 16.6.4 contain a stored cross‑site scripting flaw in the Roadmap view. The view renders a list of related work packages for each project version, and when a version includes work packages from a different project, a helper function prepends the project name to the link and marks the entire string as safe HTML. Because project names are user‑controlled and no escaping occurs before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. This flaw enables an attacker to execute arbitrary scripts in the browser of any user who opens the affected roadmap. Based on the description, it is inferred that such scripts could hijack sessions, steal credentials, or deface the interface.

Affected Systems

OpenProject released under an open‑source license is affected. Versions 16.3.0 up to and including 16.6.4 contain the vulnerability. The issue was mitigated in versions 16.6.5 and 17.0.0 by including an X‑Content‑Type‑Options: nosniff header and correcting the content‑security‑policy configuration. Installations that cannot upgrade should ensure that a nosniff header is added by their front‑end or reverse proxy.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to create or modify a subproject name containing malicious HTML, requiring either administrative access to the project interface or compromise of the database. Once a victim opens the roadmap page, the injected script runs with the victim user’s privileges.

Generated by OpenCVE AI on April 18, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenProject to version 16.6.5 or newer, which includes the missing nosniff header and proper content‑security‑policy.
  • If an upgrade cannot be performed, configure the front‑end or reverse proxy to add an X‑Content‑Type‑Options: nosniff header to all responses served by OpenProject.
  • Implement input validation on subproject names, allowing only safe characters, to prevent injection until a patch or header is deployed.

Generated by OpenCVE AI on April 18, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Mon, 19 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server.
Title OpenProject has stored XSS regression using attachments and script-src self
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T15:10:58.947Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23625

cve-icon Vulnrichment

Updated: 2026-01-20T15:10:55.887Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T18:16:05.437

Modified: 2026-02-02T20:49:09.927

Link: CVE-2026-23625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses