CVE-2026-23625
Stored XSS in OpenProject Roadmap View via Subproject Names
Publication date: 2026-01-19
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opf | openproject | From 16.3.0 (inc) to 16.6.4 (inc) |
| opf | openproject | 16.6.5 |
| opf | openproject | 17.0.0 |
| openproject | openproject | From 16.3.0 (exc) to 16.6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss how this stored cross-site scripting (XSS) vulnerability in OpenProject affects compliance with common standards and regulations such as GDPR or HIPAA. Therefore, no direct information is available on the impact of this vulnerability on regulatory compliance.
Can you explain this vulnerability to me?
CVE-2026-23625 is a stored Cross-Site Scripting (XSS) vulnerability in OpenProject versions 16.3.0 through 16.6.4, specifically in the Roadmap view. The vulnerability occurs because the 'Related work packages' list includes work packages from different projects or subprojects, and the helper function 'link_to_work_package' prepends the project name to the link and marks the entire string as html_safe without escaping user-controlled project names. This allows an attacker to inject arbitrary HTML or script code via a subproject name, which is then rendered directly on the page, leading to stored XSS. The issue was introduced after a refactoring that removed the 'X-Content-Type-Options: nosniff' header, which was restored in later patched versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject malicious HTML or JavaScript code into the OpenProject Roadmap view, which is then stored and displayed to users. This can lead to high confidentiality and integrity impacts, such as theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users. The CVSS v3.1 base score is 8.7, indicating high severity, with low attack complexity and low privileges required but requiring user interaction. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade OpenProject to version 16.6.5 or later, where the issue is fixed by restoring the X-Content-Type-Options: nosniff header. If upgrading is not possible, ensure that your proxy or web application server adds the X-Content-Type-Options: nosniff header to mitigate the vulnerability. [1, 2]