CVE-2026-25764

Low CVSS: 3.5

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.

Vendor

Openproject

Product

Openproject

CWE

CWE-80

Yayın Tarihi

2026-02-06 22:16:12

Güncelleme

2026-02-13 19:04:45

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-80 Openproject LOW Openproject 2026

Referanslar

https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp

Benzer Kayıtlar

Critical

CVE-2026-32698

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2…

Critical

CVE-2026-32703

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 1…

Low

CVE-2026-31974

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (P…

Medium

CVE-2026-30235

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to…

Medium

CVE-2026-30236

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and…

Medium

CVE-2026-30239

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the wor…