Strix
26.1K

CVE-2026-32703

MEDIUMCVSS 5.4/10EPSS 0.19%

Last modified

CVE-2026-32703 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. EPSS estimates a 0.19% chance of exploitation in the next 30 days.

Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

Metrics

CVSS 3.1
5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.19%

8.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OpenprojectOpenproject< 16.6.9
OpenprojectOpenproject>= 17.0.0, < 17.0.6
OpenprojectOpenproject>= 17.1.0, < 17.1.3
OpenprojectOpenproject17.2.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-32703?
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.
How severe is CVE-2026-32703?
CVE-2026-32703 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.19% probability of exploitation in the next 30 days.
How do I fix CVE-2026-32703?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-32703?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST