PT-2026-6806 · Unknown · Openproject
Sonntb21Dcat164
·
Published
2026-02-06
·
Updated
2026-02-09
·
CVE-2026-25764
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.7
OpenProject versions prior to 17.0.3
Description
OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags. An attacker possessing administrator privileges can inject HTML through the name field when creating a work package within the Work package section during time tracking. This could lead to the execution of malicious code.
Recommendations
Update to OpenProject version 16.6.7 or later.
Update to OpenProject version 17.0.3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openproject