CVE-2026-23625
Published: 19 January 2026
Summary
CVE-2026-23625 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openproject Openproject. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Information output filtering ensures user-controlled project names are properly encoded or filtered before rendering in the Roadmap view, directly preventing stored XSS payload execution.
Information input validation sanitizes or rejects malicious HTML in project names upon creation, addressing the root of the stored XSS but requiring complementary output handling.
Flaw remediation requires applying patches (e.g., versions 16.6.5+) or mitigations like X-Content-Type-Options: nosniff header to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution (T1059.007) in victim browsers, facilitating session hijacking (T1185), cookie theft (T1539), and exploitation of the public-facing web app (T1190).
NVD Description
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains…
more
work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server.
Deeper analysisAI
OpenProject, an open-source web-based project management software, is affected by CVE-2026-23625, a stored cross-site scripting (XSS) vulnerability (CWE-79) in its Roadmap view, impacting versions 16.3.0 through 16.6.4. The vulnerability arises when the Roadmap view renders the "Related work packages" list for a version that includes work packages from a different project, such as a subproject. The helper method link_to_work_package prepends the project name (package.project.to_s) to the link and marks the output as .html_safe without escaping. Since project names are user-controlled, any HTML injected into a subproject name is rendered verbatim in the page. The issue stems from a refactoring to Rails standard content-security policy in version 16.3.0, which inadvertently removed the X-Content-Type-Options: nosniff header.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by creating or controlling a subproject with a malicious HTML payload in its name. The attack requires user interaction (UI:R) from a victim viewing the affected Roadmap view, but achieves cross-origin scope change (S:C), enabling high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N), as scored at CVSS 8.7. Successful exploitation allows the injected script to execute in the context of other users' browsers, potentially leading to session hijacking, data theft, or page manipulation.
Mitigation is provided in OpenProject versions 16.6.5 and 17.0.0, which restore the X-Content-Type-Options: nosniff header. Organizations unable to upgrade should configure their proxying web application server to add this header. Additional details are available in the OpenProject security advisory (GHSA-cvpq-cc56-gwxx) and release notes for versions 16.6.5 and 17.0.0.
Details
- CWE(s)