CVE-2026-25764
Unknown Unknown - Not Provided
HTML Injection in OpenProject Time Tracking Allows Malicious Content

Publication date: 2026-02-06

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25764
EUVD
EUVD-2026-5557
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.7 (exc)
openproject openproject From 17.0.0 (inc) to 17.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in the OpenProject software, specifically in its time tracking function. Before versions 16.6.7 and 17.0.3, the application did not properly escape HTML tags in the name of a work package. An attacker with administrator privileges could exploit this by creating a work package with malicious HTML code in its name, which would then be rendered in the Work package section during time tracking.

Impact Analysis

The impact of this vulnerability is limited but notable. Since it requires administrator privileges and involves HTML injection, it could allow an attacker to inject malicious HTML code that might affect the integrity of the user interface or cause limited disruption. According to the CVSS score (3.5), the impact on confidentiality is none, but there is low impact on integrity and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 16.6.7 or 17.0.3 or later, where the HTML injection issue in the time tracking function has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart