CVE-2026-23625

Name of the Vulnerable Software and Affected Versions OpenProject versions 16.3.0 through 16.6.4

Description OpenProject is a web-based project management software. A stored cross-site scripting issue exists in the Roadmap view. The issue occurs when a version contains work packages from a different project, as the project name is user-controlled and is not properly escaped before being rendered, allowing for HTML injection. The link to work package helper prepends package.project.to s to the link and returns the entire string with .html safe. This allows malicious HTML to be injected into the page. The issue is addressed in later versions by implementing the X-Content-Type-Options: nosniff header.

Recommendations OpenProject versions 16.3.0 through 16.6.4 should be upgraded to version 16.6.5 or 17.0.0. If upgrading is not possible, add the X-Content-Type-Options: nosniff header in your proxying web application server.