CVE-2026-32703
Received Received - Intake

Persistent XSS in OpenProject Repositories via Unsanitized Filenames

Vulnerability report for CVE-2026-32703, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-07-06
AI Q&A
2026-03-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.9 (exc)
openproject openproject From 17.0.0 (inc) to 17.0.6 (exc)
openproject openproject From 17.1.0 (inc) to 17.1.3 (exc)
openproject openproject 17.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenProject, a web-based project management software. In certain versions before 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. An attacker with push access to the repository could create commits with filenames containing malicious HTML code. This code would be injected into the page without proper sanitation, leading to a persistent cross-site scripting (XSS) attack. Any project member viewing the repositories page showing the changeset with the malicious filename could be affected.

Impact Analysis

The vulnerability allows an attacker with push access to execute persistent cross-site scripting attacks against all members of a project who view the affected repositories page. This can lead to unauthorized actions performed in the context of the victim's session, data theft, or compromise of user accounts. The CVSS score of 9.0 indicates a high severity with potential impacts on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to one of the fixed versions: 16.6.9, 17.0.6, 17.1.3, or 17.2.1.

This update addresses the improper escaping of filenames in the Repositories module that allowed persisted XSS attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart