CVE-2026-32703 in openproject
Summary
by MITRE • 03/19/2026
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-32703 affects OpenProject, a widely-used open-source web-based project management platform that facilitates collaborative software development workflows. This security flaw resides within the Repositories module of the application, specifically targeting how the system handles filename display functionality. The issue manifests in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, creating a significant security risk for organizations relying on this platform for their development processes. The vulnerability represents a classic cross-site scripting weakness that undermines the integrity of the application's user interface and data presentation mechanisms.
The technical flaw stems from improper input sanitization within the repository filename handling system. When users commit files to a repository, the application fails to adequately escape special characters and HTML markup present in filenames. This insufficient sanitization allows malicious actors with push privileges to craft filenames containing embedded HTML code that gets rendered directly in the web interface without proper security filtering. The vulnerability specifically affects how the system displays changesets and repository contents, where filenames are presented to users without appropriate HTML escaping mechanisms. This flaw aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as a result of insufficient input validation and output encoding. The attack vector requires an attacker to already possess push access to the target repository, making it a privilege escalation issue that leverages existing access rights to execute malicious code.
The operational impact of this vulnerability extends beyond simple script execution, as it enables persistent cross-site scripting attacks that can affect all project members who view the repository pages. When victims navigate to repository views containing the maliciously crafted filenames, their browsers execute the embedded HTML code, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The persistence of this attack means that even after the initial commit, the malicious code continues to execute whenever users access the affected repository pages. This creates a continuous threat vector that can compromise user sessions and potentially escalate to more serious attacks such as privilege escalation or data exfiltration. The vulnerability particularly affects collaborative environments where multiple team members regularly access repository information, amplifying the potential attack surface and impact.
Organizations utilizing OpenProject should immediately implement mitigations by upgrading to the patched versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1, which contain proper filename sanitization and HTML escaping mechanisms. System administrators should conduct thorough security audits to identify any existing compromised repositories and implement additional monitoring for suspicious commit patterns. The fix addresses the core issue by ensuring that all repository filenames undergo proper HTML escaping before display, preventing malicious code injection. Security teams should also consider implementing additional access controls and monitoring for repository modifications, particularly for users with push privileges. This vulnerability demonstrates the importance of input validation and output encoding in web applications, aligning with ATT&CK technique T1059.001 for command and scripting interpreter and T1566.001 for credential access through social engineering. Organizations should also review their incident response procedures to ensure they can quickly identify and remediate similar vulnerabilities in their software supply chain, particularly in collaborative development platforms that handle sensitive project information.