CVE-2026-32703

OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy

Description

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue.

INFO

Published Date :

2026-03-18T21:04:16.982Z

Last Modified :

2026-03-19T16:14:11.504Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-32703 vulnerability.

Vendors	Products
Openproject	Openproject
Opf	Openproject

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32703.

URL	Resource
https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact