CVE-2026-32703
Received Received - Intake
Persistent XSS in OpenProject Repositories via Unsanitized Filenames

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32703
EUVD
EUVD-2026-12969
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.9 (exc)
openproject openproject From 17.0.0 (inc) to 17.0.6 (exc)
openproject openproject From 17.1.0 (inc) to 17.1.3 (exc)
openproject openproject 17.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenProject, a web-based project management software. In certain versions before 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. An attacker with push access to the repository could create commits with filenames containing malicious HTML code. This code would be injected into the page without proper sanitation, leading to a persistent cross-site scripting (XSS) attack. Any project member viewing the repositories page showing the changeset with the malicious filename could be affected.

Impact Analysis

The vulnerability allows an attacker with push access to execute persistent cross-site scripting attacks against all members of a project who view the affected repositories page. This can lead to unauthorized actions performed in the context of the victim's session, data theft, or compromise of user accounts. The CVSS score of 9.0 indicates a high severity with potential impacts on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to one of the fixed versions: 16.6.9, 17.0.6, 17.1.3, or 17.2.1.

This update addresses the improper escaping of filenames in the Repositories module that allowed persisted XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart