CVE-2026-25764 is an HTML injection vulnerability classified under CWE-80, affecting OpenProject versions before 16.6.7 and 17.0.3. The vulnerability arises because the time tracking function fails to properly neutralize or escape HTML tags in the work package name field. An attacker with administrator privileges can exploit this by creating a work package with embedded HTML or script tags. When this malicious work package is added to the Work package section during time tracking, the injected code executes in the context of the victim's browser. This type of vulnerability is a form of stored cross-site scripting (XSS), which can lead to script execution, session hijacking, or UI manipulation. However, exploitation requires the attacker to have administrator-level access and the victim to interact with the malicious content, limiting the attack surface. The vulnerability does not directly compromise confidentiality but can impact integrity and availability by executing unauthorized scripts. The issue has been addressed in OpenProject versions 16.6.7 and 17.0.3 by properly escaping HTML tags in the affected fields. No public exploits or active attacks have been reported to date, indicating a low likelihood of widespread exploitation currently.

For European organizations, the impact of CVE-2026-25764 is relatively low but non-negligible. Since exploitation requires administrator privileges, the threat mainly concerns insider attackers or compromised admin accounts. Successful exploitation could allow attackers to execute arbitrary scripts within the application context, potentially leading to session hijacking, unauthorized actions, or denial of service through UI manipulation. This could disrupt project management workflows and reduce trust in the system's integrity. Organizations relying heavily on OpenProject for critical project tracking and collaboration may experience operational impacts if the vulnerability is exploited. However, the lack of direct confidentiality impact and the requirement for high privileges limit the overall risk. Prompt patching will prevent attackers from leveraging this vulnerability, preserving system availability and integrity. Additionally, organizations should monitor for suspicious administrator activity to detect potential misuse.

1. Upgrade OpenProject installations to version 16.6.7 or 17.0.3 or later, where the vulnerability is patched. 2. Restrict administrator privileges strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 3. Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources and execution contexts. 4. Conduct regular audits of work package names and other user-generated content fields to detect any suspicious or malformed HTML tags. 5. Educate administrators about the risks of injecting untrusted content and encourage safe content creation practices. 6. Monitor application logs and user activity for unusual patterns that may indicate attempts to exploit this vulnerability. 7. Consider deploying web application firewalls (WAF) with rules to detect and block HTML injection or XSS payloads targeting OpenProject endpoints. These steps go beyond generic advice by focusing on privilege management, content monitoring, and layered defenses specific to this vulnerability.