CVE-2026-32703

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.9 OpenProject versions prior to 17.0.6 OpenProject versions prior to 17.1.3 OpenProject versions prior to 17.2.1

Description OpenProject is a web-based project management software. The Repositories module did not properly escape filenames, allowing an attacker with push access to a repository to inject HTML code through maliciously crafted filenames in commits. This enables a persisted cross-site scripting (XSS) attack against project members accessing the repositories page when viewing changesets where the crafted file was deleted.

Recommendations Update OpenProject to version 16.6.9 or later. Update OpenProject to version 17.0.6 or later. Update OpenProject to version 17.1.3 or later. Update OpenProject to version 17.2.1 or later.