Platform
other
Component
openproject
Fixed in
16.6.10
17.0.1
17.1.1
17.2.1
CVE-2026-32703 is a critical Cross-Site Scripting (XSS) vulnerability affecting OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. This vulnerability arises from improper filename escaping within the Repositories module. An attacker with push access to the repository can craft malicious filenames containing HTML code, leading to a persistent XSS attack against all project members who view the repositories page.
The impact of this vulnerability is significant. An attacker can inject arbitrary JavaScript code into the OpenProject interface, potentially stealing user credentials, redirecting users to malicious websites, or defacing the application. The attack is persistent, meaning the malicious code remains embedded in the repository until addressed. This allows for widespread compromise of project members who access the repositories, potentially leading to data breaches and further system compromise. The ability to inject HTML via filenames provides a relatively easy attack vector for authenticated users with push access, making it a high-priority concern.
This vulnerability was publicly disclosed on 2026-03-18. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential impact make it a likely target. The vulnerability's persistence and wide-ranging impact warrant immediate attention. No KEV listing is currently available.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade OpenProject to version 17.2.1 or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider restricting push access to the repository to trusted users only. Implementing a Web Application Firewall (WAF) with rules to sanitize filenames and prevent HTML injection can provide an additional layer of defense. Regularly review repository commit history for suspicious filenames. After upgrading, confirm the fix by attempting to push a commit with a specially crafted filename containing HTML tags and verifying that the output is properly sanitized.
Update OpenProject to version 16.6.9, 17.0.6, 17.1.3, or 17.2.1, or a later version. This corrects the persistent Cross-Site Scripting (XSS) vulnerability by properly escaping filenames displayed from repositories.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32703 is a critical Cross-Site Scripting (XSS) vulnerability in OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, allowing attackers to inject malicious code via repository filenames.
You are affected if you are using OpenProject versions ≤ 17.2.0 and < 17.2.1. Upgrade to 17.2.1 or later to mitigate the risk.
Upgrade OpenProject to version 17.2.1 or later. Restrict push access to repositories if immediate upgrading is not possible.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the OpenProject security advisory for detailed information and updates: [https://www.openproject.org/security-advisories/](https://www.openproject.org/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.