{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23625", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.482Z", "datePublished": "2026-01-19T17:41:41.803Z", "dateUpdated": "2026-01-20T15:10:58.947Z"}, "containers": {"cna": {"title": "OpenProject has stored XSS regression using attachments and script-src self", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx"}, {"name": "https://github.com/opf/openproject/releases/tag/v16.6.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.5"}, {"name": "https://github.com/opf/openproject/releases/tag/v17.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/releases/tag/v17.0.0"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": ">= 16.3.0, < 16.6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T17:41:41.803Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject\u2019s roadmap view renders the \u201cRelated work packages\u201d list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server."}], "source": {"advisory": "GHSA-cvpq-cc56-gwxx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:10:48.607771Z", "id": "CVE-2026-23625", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:10:58.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23625", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T15:10:48.607771Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:10:55.887Z"}}], "cna": {"title": "OpenProject has stored XSS regression using attachments and script-src self", "source": {"advisory": "GHSA-cvpq-cc56-gwxx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": ">= 16.3.0, < 16.6.5"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx", "name": "https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opf/openproject/releases/tag/v16.6.5", "name": "https://github.com/opf/openproject/releases/tag/v16.6.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opf/openproject/releases/tag/v17.0.0", "name": "https://github.com/opf/openproject/releases/tag/v17.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject\u2019s roadmap view renders the \u201cRelated work packages\u201d list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T17:41:41.803Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23625", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:10:58.947Z", "dateReserved": "2026-01-14T16:08:37.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T17:41:41.803Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E445CBC-3EAC-4310-BF92-C9DC0CC0AF09", "versionEndExcluding": "16.6.5", "versionStartExcluding": "16.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject\u2019s roadmap view renders the \u201cRelated work packages\u201d list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server."}], "id": "CVE-2026-23625", "lastModified": "2026-02-02T20:49:09.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T18:16:05.437", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opf/openproject/releases/tag/v16.6.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opf/openproject/releases/tag/v17.0.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:52:26.424419+00:00", "value": {"mitigation_remediation": ["Update OpenProject to version 16.6.5 or newer, which includes the missing nosniff header and proper content\u2011security\u2011policy.", "If an upgrade cannot be performed, configure the front\u2011end or reverse proxy to add an X\u2011Content\u2011Type\u2011Options: nosniff header to all responses served by OpenProject.", "Implement input validation on subproject names, allowing only safe characters, to prevent injection until a patch or header is deployed."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "OpenProject released under an open\u2011source license is affected. Versions 16.3.0 up to and including 16.6.4 contain the vulnerability. The issue was mitigated in versions 16.6.5 and 17.0.0 by including an X\u2011Content\u2011Type\u2011Options: nosniff header and correcting the content\u2011security\u2011policy configuration. Installations that cannot upgrade should ensure that a nosniff header is added by their front\u2011end or reverse proxy.", "description_and_impact": "OpenProject 16.3.0 through 16.6.4 contain a stored cross\u2011site scripting flaw in the Roadmap view. The view renders a list of related work packages for each project version, and when a version includes work packages from a different project, a helper function prepends the project name to the link and marks the entire string as safe HTML. Because project names are user\u2011controlled and no escaping occurs before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. This flaw enables an attacker to execute arbitrary scripts in the browser of any user who opens the affected roadmap. Based on the description, it is inferred that such scripts could hijack sessions, steal credentials, or deface the interface.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to create or modify a subproject name containing malicious HTML, requiring either administrative access to the project interface or compromise of the database. Once a victim opens the roadmap page, the injected script runs with the victim user\u2019s privileges."}}}}, "created": "2026-01-20T08:40:22.970112+00:00", "updated": "2026-04-18T16:00:04.285838+00:00", "vendors": ["openproject", "openproject$PRODUCT$openproject"]}