CVE-2026-32703 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: March 18, 2026
OpenProject - Stored XSS
Overview
OpenProject < 16.6.9, < 17.0.6, < 17.1.3, and < 17.2.1 contain a stored XSS caused by improper escaping of filenames in the Repositories module, letting attackers with push access execute scripts for project members viewing the changeset page.
Severity & Score
Impact
Attackers with push access can execute persistent scripts in project members' browsers, potentially stealing data or performing actions on their behalf.
Mitigation
Update to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 or later.
Social Media Activity(2 posts)
š“ CVE-2026-32703 - Critical (9) OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with pus... š https://www.thehackerwire.com/vulnerability/CVE-2026-32703/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-32703 - Critical (9) OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with pus... š https://www.thehackerwire.com/vulnerability/CVE-2026-32703/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32703
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H