CVE-2026-23625 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the OpenProject open-source project management software, specifically versions 16.3.0 through 16.6.4. The vulnerability exists in the Roadmap view feature, which displays a list of related work packages for each project version. When a version includes work packages from subprojects, the helper function link_to_work_package prepends the subproject's name to the link and marks the entire string as html_safe without proper escaping. Since project names are user-controlled inputs, an attacker can inject malicious HTML or JavaScript code into a subproject name, which is then rendered verbatim in the Roadmap view. This results in stored XSS, where the malicious payload persists and executes in the browsers of users viewing the affected page. The root cause is the lack of input sanitization combined with the use of html_safe, which bypasses Rails' default escaping mechanisms. The vulnerability was partially mitigated in version 16.6.5 and 17.0.0 by reintroducing the X-Content-Type-Options: nosniff HTTP header, which prevents browsers from interpreting files as a different MIME type, reducing the risk of script execution. However, a refactoring to use Rails' standard Content Security Policy (CSP) inadvertently removed this header, re-exposing the risk in versions 16.3.0 through 16.6.4. Exploitation requires an attacker to have authenticated access to create or modify subproject names and requires victim user interaction to trigger the malicious script. The CVSS v3.1 score is 8.7 (high), reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality and integrity. No known exploits are reported in the wild as of publication. The vulnerability can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and potential lateral movement within affected environments.

For European organizations, the impact of CVE-2026-23625 can be significant, particularly for those relying on OpenProject for managing software development, engineering, or collaborative projects. Successful exploitation can lead to theft of sensitive project data, user credentials, and session tokens, enabling attackers to impersonate legitimate users and perform unauthorized actions. This can compromise project integrity and confidentiality, disrupt workflows, and potentially expose intellectual property. Since the vulnerability requires authenticated access, insider threats or compromised accounts pose a heightened risk. The stored nature of the XSS means multiple users can be affected once malicious content is injected. Organizations with strict data protection regulations, such as GDPR in the EU, may face compliance risks and reputational damage if breaches occur. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks within enterprise networks. The absence of known exploits in the wild suggests a window for proactive remediation before widespread abuse.

The primary mitigation is to upgrade OpenProject installations to version 16.6.5 or later, where the vulnerability is addressed by proper HTTP header configuration and improved content security policies. For organizations unable to upgrade immediately, it is critical to manually add the X-Content-Type-Options: nosniff header at the web server or reverse proxy level to prevent MIME type sniffing and reduce the risk of script execution. Additionally, organizations should audit project and subproject names for suspicious or malicious content and restrict who can create or modify project names to trusted users only. Implementing strict Content Security Policies (CSP) tailored to the application can further mitigate XSS risks. Regular security training for users to recognize suspicious behavior and careful monitoring of logs for unusual activities related to project metadata changes are recommended. Finally, applying the principle of least privilege to user roles within OpenProject reduces the attack surface by limiting who can inject malicious input.