3.5
CVE-2026-25764
- EPSS 0.24%
- Veröffentlicht 06.02.2026 22:10:09
- Zuletzt bearbeitet 13.02.2026 19:04:45
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOpenProject vulnerable to Stored HTML injection
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openproject ≫ Openproject Version < 16.6.7
Openproject ≫ Openproject Version >= 17.0.0 < 17.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.149 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.5 | 0.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
|
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
https://github.com/opf/openproject/releases/tag/v16.6.7
https://github.com/opf/openproject/releases/tag/v17.0.3
https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp