Description
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
Published: 2026-03-18
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

OpenProject’s Repositories module did not properly escape filenames supplied by the repository. An attacker with push access can commit a file whose name contains HTML code that is rendered on the repositories page without sanitation. This results in a persisted cross‑site scripting (XSS) vulnerability that can execute arbitrary JavaScript in the browsers of all project members who view the affected page.

Affected Systems

Affected deployments are those running OpenProject versions before 16.6.9, before 17.0.6, before 17.1.3, or before 17.2.1. The product is identified by the vendor identifier opf:openproject and the CPE strings cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:* and cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*; any instance matching those version ranges is vulnerable.

Risk and Exploitability

The CVSS score of 9.1 categorises this flaw as high severity, yet the EPSS score is below 1 % and it is not listed in CISA’s KEV catalog. The vulnerability requires the attacker to possess push rights to the repository; after a malicious commit, any project member who accesses the repositories page will have the injected script executed. The potential impact is confined to the victim’s browser and does not require additional conditions beyond repository access.

Generated by OpenCVE AI on March 19, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to at least version 16.6.9, 17.0.6, 17.1.3, or 17.2.1.
  • Verify that repository filenames are properly escaped in the UI after applying the patch.
  • Monitor repository commits for any unexpected or malicious filenames.

Generated by OpenCVE AI on March 19, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*
Vendors & Products Openproject
Openproject openproject

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Wed, 18 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
Title OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Openproject Openproject
Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:14:11.504Z

Reserved: 2026-03-13T14:33:42.823Z

Link: CVE-2026-32703

cve-icon Vulnrichment

Updated: 2026-03-19T16:14:05.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T22:16:24.517

Modified: 2026-03-19T19:23:00.593

Link: CVE-2026-32703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:09Z

Weaknesses