{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32703", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.823Z", "datePublished": "2026-03-18T21:04:16.982Z", "dateUpdated": "2026-03-19T16:14:11.504Z"}, "containers": {"cna": {"title": "OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 16.6.9", "status": "affected"}, {"version": ">= 17.0.0, < 17.0.6", "status": "affected"}, {"version": ">= 17.1.0, < 17.1.3", "status": "affected"}, {"version": ">= 17.2.0, < 17.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:04:16.982Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}], "source": {"advisory": "GHSA-p423-72h4-fjvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T16:13:58.033965Z", "id": "CVE-2026-32703", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:14:11.504Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T16:13:58.033965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:14:05.378Z"}}], "cna": {"title": "OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy", "source": {"advisory": "GHSA-p423-72h4-fjvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 16.6.9"}, {"status": "affected", "version": ">= 17.0.0, < 17.0.6"}, {"status": "affected", "version": ">= 17.1.0, < 17.1.3"}, {"status": "affected", "version": ">= 17.2.0, < 17.2.1"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp", "name": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:04:16.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32703", "state": "PUBLISHED", "dateUpdated": "2026-03-19T16:14:11.504Z", "dateReserved": "2026-03-13T14:33:42.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T21:04:16.982Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE", "versionEndExcluding": "16.6.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A", "versionEndExcluding": "17.0.6", "versionStartIncluding": "17.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "86B90D5D-1A3D-4524-A3CC-F7B7274A4E26", "versionEndExcluding": "17.1.3", "versionStartIncluding": "17.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}], "id": "CVE-2026-32703", "lastModified": "2026-03-19T19:23:00.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T22:16:24.517", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.6.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,17.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.1.0,17.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.2.0,17.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openproject", "source": "cna", "vendor": "opf"}, "product": "openproject", "vendor": "opf"}], "analysis": {"en": {"generated_at": "2026-03-19T20:50:36.597162+00:00", "value": {"mitigation_remediation": ["Upgrade OpenProject to at least version 16.6.9, 17.0.6, 17.1.3, or 17.2.1.", "Verify that repository filenames are properly escaped in the UI after applying the patch.", "Monitor repository commits for any unexpected or malicious filenames."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected deployments are those running OpenProject versions before 16.6.9, before 17.0.6, before 17.1.3, or before 17.2.1. The product is identified by the vendor identifier opf:openproject and the CPE strings cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:* and cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*; any instance matching those version ranges is vulnerable.", "description_and_impact": "OpenProject\u2019s Repositories module did not properly escape filenames supplied by the repository. An attacker with push access can commit a file whose name contains HTML code that is rendered on the repositories page without sanitation. This results in a persisted cross\u2011site scripting (XSS) vulnerability that can execute arbitrary JavaScript in the browsers of all project members who view the affected page.", "risk_and_exploitability": "The CVSS score of 9.1 categorises this flaw as high severity, yet the EPSS score is below 1\u202f% and it is not listed in CISA\u2019s KEV catalog. The vulnerability requires the attacker to possess push rights to the repository; after a malicious commit, any project member who accesses the repositories page will have the injected script executed. The potential impact is confined to the victim\u2019s browser and does not require additional conditions beyond repository access."}}}}, "created": "2026-03-19T08:55:26.856915+00:00", "updated": "2026-03-25T11:52:09.536228+00:00", "vendors": ["opf", "opf$PRODUCT$openproject"]}