216.73.217.139

CVE-2026-32703

· Published 18/03/2026 22:16 · Modified 19/03/2026 19:23

Labels: CVE-2026-32703 2026-03-18CVE-2026-32703CWE-79[email protected]

Essential information

Published
18/03/2026 22:16
Modified
19/03/2026 19:23
Author
Creator
CVSS
9.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openproject / openproject cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
openproject / openproject cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
openproject / openproject cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
openproject / openproject cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*

References