Plattform
other
Komponente
openproject
Behoben in
16.6.10
17.0.1
17.1.1
17.2.1
CVE-2026-32703 describes a critical cross-site scripting (XSS) vulnerability affecting OpenProject project management software. This flaw allows an attacker with push access to a repository to inject malicious HTML code into filenames displayed within the Repositories module. Consequently, all project members who view the changeset page containing the crafted file are susceptible to the XSS attack, potentially leading to session hijacking or other malicious actions. The vulnerability impacts versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a fix available in version 17.2.1.
The impact of CVE-2026-32703 is significant due to its persistent nature and broad reach within a project. An attacker can craft a commit with a specially designed filename containing malicious HTML. When a project member views the changeset page displaying this file, the injected script executes in their browser context. This allows the attacker to potentially steal session cookies, redirect users to phishing sites, or deface the OpenProject interface. The attack is persistent because the malicious code is stored within the repository's history, meaning it can affect users repeatedly until the affected commits are removed or the vulnerability is patched. This vulnerability shares similarities with other XSS attacks where unsanitized user input is reflected back to the user, but the repository context adds a layer of persistence.
CVE-2026-32703 was publicly disclosed on March 18, 2026. The vulnerability's criticality (CVSS score of 9.1) and the ease of exploitation (requiring only push access) suggest a medium probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the vulnerability's nature makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations using OpenProject for project management, particularly those with multiple users and shared repositories, are at risk. Teams relying on OpenProject for sensitive project data are especially vulnerable, as the XSS attack could lead to data theft or unauthorized access. Users with push access to repositories represent the most immediate threat.
• linux / server: Monitor OpenProject logs for unusual activity related to repository commits. Use journalctl -f to observe repository access patterns and look for suspicious filenames.
journalctl -f | grep 'repository commit' | grep -i 'html'• generic web: Examine OpenProject access and error logs for requests containing suspicious HTML code in filenames. Use curl to test repository endpoints with crafted filenames and observe the response for signs of XSS.
curl 'https://openproject.example.com/repositories/your_repo/commits?filename=<script>alert("XSS")</script>' -sdisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32703 is to upgrade OpenProject to version 17.2.1 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a WAF might offer some protection, it's unlikely to be effective against this specific vulnerability due to the nature of the repository data. Carefully review repository commit history for any suspicious filenames that might indicate exploitation. Implement stricter access controls to limit push access to the repository to only authorized personnel. After upgrading, confirm the fix by attempting to create a commit with a malicious filename and verifying that the HTML is properly sanitized and not rendered in the changeset page.
Aktualisieren Sie OpenProject auf Version 16.6.9, 17.0.6, 17.1.3 oder 17.2.1 oder eine spätere Version. Dies behebt die persistente Cross-Site Scripting (XSS)-Schwachstelle, indem Dateinamen, die aus Repositories angezeigt werden, ordnungsgemäß escaped werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32703 is a critical Cross-Site Scripting (XSS) vulnerability in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, allowing attackers to inject malicious code via repository filenames.
You are affected if you are using OpenProject versions ≤ 17.2.0 and < 17.2.1. Upgrade to 17.2.1 or later to mitigate the risk.
Upgrade OpenProject to version 17.2.1 or later. Restrict push access to repositories if immediate upgrading is not possible.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the OpenProject security advisory for detailed information and updates: [https://www.openproject.org/security-advisories/](https://www.openproject.org/security-advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.