CVE-2026-25764

EUVD-2026-5557

06.02.2026, 22:16

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.

Basic XSS

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.5 LOW	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
GitHub_M	CNA	3.5 LOW	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
openproject	openproject	𝑥 < 16.6.7
openproject	openproject	17.0.0 ≤ 𝑥 < 17.0.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

References

https://github.com/opf/openproject/releases/tag/v16.6.7

https://github.com/opf/openproject/releases/tag/v17.0.3

https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp