CVE-2026-25764
Unknown Unknown - Not Provided
HTML Injection in OpenProject Time Tracking Allows Malicious Content

Publication date: 2026-02-06

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-13
Generated
2026-05-07
AI Q&A
2026-02-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25764
EUVD
EUVD-2026-5557
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.7 (exc)
openproject openproject From 17.0.0 (inc) to 17.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an HTML injection issue in the OpenProject software, specifically in its time tracking function. Before versions 16.6.7 and 17.0.3, the application did not properly escape HTML tags in the name of a work package. An attacker with administrator privileges could exploit this by creating a work package with malicious HTML code in its name, which would then be rendered in the Work package section during time tracking.


How can this vulnerability impact me? :

The impact of this vulnerability is limited but notable. Since it requires administrator privileges and involves HTML injection, it could allow an attacker to inject malicious HTML code that might affect the integrity of the user interface or cause limited disruption. According to the CVSS score (3.5), the impact on confidentiality is none, but there is low impact on integrity and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade OpenProject to version 16.6.7 or 17.0.3 or later, where the HTML injection issue in the time tracking function has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart