CVE-2026-25764 is an improper neutralization of script-related HTML tags vulnerability (CWE-80) identified in OpenProject, a widely used open-source web-based project management software. The vulnerability resides in the time tracking feature where HTML tags in work package names are not escaped before rendering. This allows an attacker with administrator privileges to inject arbitrary HTML or script code by crafting a work package name containing malicious tags. When such a work package is added to the time tracking section, the injected code executes in the context of users viewing the page, constituting a basic reflected or stored XSS attack. The vulnerability affects OpenProject versions prior to 16.6.7 and 17.0.3, and has been addressed in these releases. The CVSS 3.1 base score is 3.5 (low), reflecting the requirement for high privileges (administrator), user interaction, and the limited impact primarily on integrity and availability. Confidentiality is not impacted. No public exploits have been reported, indicating limited active exploitation. The vulnerability could be leveraged to perform actions such as session manipulation, UI redressing, or denial of service within the scope of the affected application, but the prerequisite of admin privileges significantly reduces the attack surface.

For European organizations, the impact of this vulnerability is generally low but not negligible. Since exploitation requires administrator privileges, the threat is mainly from insider attackers or compromised admin accounts. Successful exploitation could lead to injection of malicious scripts that might alter the integrity of project data or disrupt availability by causing UI or application malfunctions. However, there is no direct confidentiality breach. Organizations relying on OpenProject for critical project management and time tracking could face operational disruptions or trust issues if attackers manipulate displayed data or inject misleading content. The risk is higher in environments with weak internal access controls or where administrator credentials are insufficiently protected. Given the open-source nature of OpenProject, many European public sector and private organizations use it, so patching is essential to maintain operational integrity.

European organizations should immediately upgrade OpenProject installations to versions 16.6.7 or 17.0.3 or later to apply the official patch. Beyond patching, organizations should enforce strict administrator access controls, including multi-factor authentication and regular credential audits, to reduce the risk of privilege misuse. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. Regularly review and sanitize user-generated content even if it originates from trusted roles to prevent injection of malicious code. Conduct security awareness training for administrators to recognize and avoid risky behaviors. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting OpenProject. Finally, monitor logs for unusual administrator activities or unexpected changes in work package names that could indicate exploitation attempts.