CVE-2026-25764
Last modified
CVE-2026-25764 is a low-severity vulnerability rated 3.5/10 on the CVSS scale. OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openproject | Openproject | < 16.6.7 |
| Openproject | Openproject | >= 17.0.0, < 17.0.3 |
References
- https://github.com/opf/openproject/releases/tag/v16.6.7Product, Release Notes
- https://github.com/opf/openproject/releases/tag/v17.0.3Product, Release Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25764?
How severe is CVE-2026-25764?
How do I fix CVE-2026-25764?
Are you affected by CVE-2026-25764?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST