CVE-2026-32703

Critical

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0004 11.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32703 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Openproject Openproject. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-32703 by identifying, reporting, and applying vendor patches (versions 16.6.9, 17.0.6, 17.1.3, 17.2.1) that implement proper filename escaping to prevent XSS.

SI-15 Information Output Filtering good match

prevent

Prevents persisted XSS from malicious repository filenames by filtering and encoding outputs prior to rendering on the repositories page.

SI-10 Information Input Validation partial match

prevent

Addresses the vulnerability by validating repository filenames as inputs during commits to reject those containing HTML/JavaScript payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

XSS vuln in public web app directly enables T1190 exploitation; payload executes JS (T1059.007) leading to session hijacking (T1185) and cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create…

commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

Deeper analysisAI

CVE-2026-32703 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Repositories module in OpenProject, an open-source web-based project management software. The flaw arises from improper escaping of filenames displayed from repositories in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. This allows malicious HTML code embedded in filenames to be injected into web pages without sanitation, enabling persisted XSS attacks. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts with changed scope.

An attacker with push access to a project repository can exploit this by creating commits with filenames containing malicious HTML or JavaScript payloads. When project members access the repositories page to view a changeset—such as one where the maliciously crafted file is deleted—the injected code executes in their browsers. This results in a persisted XSS attack targeting all authenticated members of the project who visit the affected page, potentially leading to session hijacking, data theft, or further compromise depending on the payload.

The official advisory on GitHub (GHSA-p423-72h4-fjvp) confirms that the issue is fixed in OpenProject versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 through proper filename escaping. Security practitioners should urge users to upgrade to these patched versions immediately and review repository access controls to limit push privileges.

Details

CWE(s): CWE-79

Affected Products

openproject

17.2.0 · ≤ 16.6.9 · 17.0.0 — 17.0.6 · 17.1.0 — 17.1.3

CVEs Like This One

CVE-2026-23625Same product: Openproject Openproject

CVE-2026-24685Same product: Openproject Openproject

CVE-2026-24775Same product: Openproject Openproject

CVE-2026-22601Same product: Openproject Openproject

CVE-2026-30239Same product: Openproject Openproject

CVE-2026-24772Same product: Openproject Openproject

CVE-2026-34717Same product: Openproject Openproject

CVE-2026-25763Same product: Openproject Openproject

CVE-2026-32698Same product: Openproject Openproject

CVE-2026-22600Same product: Openproject Openproject

References

https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp
Vendor Advisory · security-advisories@github.com