CVE-2026-23625 is a stored cross-site scripting vulnerability classified under CWE-79, impacting OpenProject, an open-source web-based project management software. The vulnerability exists in versions 16.3.0 through 16.6.4 within the Roadmap view feature, which displays a list of related work packages for each version. When a version includes work packages from different projects or subprojects, the helper function link_to_work_package prepends the project name to the link and marks the entire string as HTML safe without escaping. Since project names are user-controlled inputs, malicious actors can inject arbitrary HTML or JavaScript code into subproject names, which is then rendered verbatim in the user's browser. This improper neutralization of input leads to stored XSS, allowing attackers to execute scripts in the context of authenticated users viewing the Roadmap. The vulnerability requires an attacker to have at least limited privileges to create or modify project names and some user interaction to trigger the payload. The issue was partially mitigated by adding the X-Content-Type-Options: nosniff header in version 16.6.5 and 17.0.0, which prevents MIME-type sniffing attacks that could exacerbate XSS risks. However, a refactoring to use Rails standard content security policies inadvertently removed this header in versions 16.3.0 to 16.6.4, reintroducing the risk. No known exploits are currently reported in the wild, but the high CVSS score of 8.7 reflects the potential for significant impact on confidentiality and integrity. The vulnerability affects all deployments of OpenProject within the specified version range, especially those exposed to multiple users with project creation or modification rights.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of project management data. Exploitation could allow attackers to execute arbitrary scripts in the browsers of authenticated users, leading to session hijacking, credential theft, or unauthorized actions within OpenProject. This could result in leakage of sensitive project information, manipulation of project data, or disruption of project workflows. Organizations relying on OpenProject for critical project management, especially in sectors like government, finance, and technology, may face operational and reputational damage. The vulnerability's requirement for authenticated access limits exposure but does not eliminate risk, as insider threats or compromised accounts could be leveraged. Additionally, the stored nature of the XSS means that malicious payloads persist and affect multiple users, increasing the attack surface. Given the widespread use of OpenProject in European enterprises and public institutions, the impact could be broad if unpatched systems remain in use.

The primary mitigation is to upgrade OpenProject installations to version 16.6.5 or later, where the vulnerability is addressed by reinstating the X-Content-Type-Options: nosniff header and improved content security policies. For organizations unable to upgrade immediately, it is critical to manually configure the web server or proxy to add the X-Content-Type-Options: nosniff HTTP response header to all OpenProject traffic. This header prevents browsers from MIME-type sniffing, reducing the risk of XSS exploitation. Additionally, organizations should audit project and subproject names for suspicious or unexpected HTML content and restrict permissions to create or modify project names to trusted users only. Implementing strict Content Security Policies (CSP) that limit script execution sources can further mitigate risk. Regular monitoring of OpenProject logs for unusual activity and educating users about phishing and XSS risks will also help reduce the likelihood and impact of exploitation.