CVE-2026-32703 (GCVE-0-2026-32703)
Vulnerability from cvelistv5 – Published: 2026-03-18 21:04 – Updated: 2026-03-19 16:14
VLAI
Title
OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy
Summary
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/opf/openproject/security/advis… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opf | openproject |
Affected:
< 16.6.9
Affected: >= 17.0.0, < 17.0.6 Affected: >= 17.1.0, < 17.1.3 Affected: >= 17.2.0, < 17.2.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T16:13:58.033965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:14:11.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003c 16.6.9"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.0.6"
},
{
"status": "affected",
"version": "\u003e= 17.1.0, \u003c 17.1.3"
},
{
"status": "affected",
"version": "\u003e= 17.2.0, \u003c 17.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T21:04:16.982Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp"
}
],
"source": {
"advisory": "GHSA-p423-72h4-fjvp",
"discovery": "UNKNOWN"
},
"title": "OpenProject\u0027s repository files are served with the MIME type allowing them to be used to bypass Content Security Policy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32703",
"datePublished": "2026-03-18T21:04:16.982Z",
"dateReserved": "2026-03-13T14:33:42.823Z",
"dateUpdated": "2026-03-19T16:14:11.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32703",
"date": "2026-07-01",
"epss": "0.00189",
"percentile": "0.08697"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32703\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T22:16:24.517\",\"lastModified\":\"2026-06-17T10:36:14.250\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.\"},{\"lang\":\"es\",\"value\":\"OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. En versiones anteriores a la 16.6.9, 17.0.6, 17.1.3 y 17.2.1, el m\u00f3dulo de Repositorios no escapaba correctamente los nombres de archivo mostrados desde los repositorios. Esto permit\u00eda a un atacante con acceso de push al repositorio crear commits con nombres de archivo que inclu\u00edan c\u00f3digo HTML que se inyectaba en la p\u00e1gina sin la sanitizaci\u00f3n adecuada. Esto permit\u00eda un ataque XSS persistente contra todos los miembros de este proyecto que acced\u00edan a la p\u00e1gina de repositorios para mostrar un changeset donde el archivo creado maliciosamente hab\u00eda sido eliminado. Las versiones 16.6.9, 17.0.6, 17.1.3 y 17.2.1 corrigen el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"opf\",\"product\":\"openproject\",\"versions\":[{\"version\":\"\u003c 16.6.9\",\"status\":\"affected\"},{\"version\":\"\u003e= 17.0.0, \u003c 17.0.6\",\"status\":\"affected\"},{\"version\":\"\u003e= 17.1.0, \u003c 17.1.3\",\"status\":\"affected\"},{\"version\":\"\u003e= 17.2.0, \u003c 17.2.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-19T16:13:58.033965Z\",\"id\":\"CVE-2026-32703\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"16.6.9\",\"matchCriteriaId\":\"7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"17.0.6\",\"matchCriteriaId\":\"E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.1.0\",\"versionEndExcluding\":\"17.1.3\",\"matchCriteriaId\":\"86B90D5D-1A3D-4524-A3CC-F7B7274A4E26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF\"}]}]}],\"references\":[{\"url\":\"https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32703\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T16:13:58.033965Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-19T16:14:05.378Z\"}}], \"cna\": {\"title\": \"OpenProject\u0027s repository files are served with the MIME type allowing them to be used to bypass Content Security Policy\", \"source\": {\"advisory\": \"GHSA-p423-72h4-fjvp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"opf\", \"product\": \"openproject\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 16.6.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 17.0.0, \u003c 17.0.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 17.1.0, \u003c 17.1.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 17.2.0, \u003c 17.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp\", \"name\": \"https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T21:04:16.982Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32703\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T16:14:11.504Z\", \"dateReserved\": \"2026-03-13T14:33:42.823Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T21:04:16.982Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…