CVE-2026-32703 is a critical security vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting) affecting OpenProject, an open-source project management platform. The vulnerability resides in the Repositories module of OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. Specifically, the software fails to properly sanitize or escape filenames displayed from repository commits. An attacker who has authenticated push access to a repository can craft commit filenames containing malicious HTML or JavaScript code. When other project members access the repositories page that displays a changeset including the malicious filename (even if the file was later deleted), the injected script executes in their browsers. This persistent XSS attack can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or further malware delivery. The vulnerability requires the attacker to have push access (privileged) and the victim to interact by viewing the affected page. The CVSS v3.1 base score is 9.1 (critical), reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the severity and ease of exploitation by insiders or compromised users make this a significant threat. The issue is resolved in OpenProject versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 by properly escaping filenames to prevent script injection.

This vulnerability poses a critical risk to organizations using affected versions of OpenProject, especially those relying on the Repositories module for collaborative development. Successful exploitation can lead to persistent XSS attacks that compromise user sessions, steal sensitive project data, and enable unauthorized actions within the project management environment. The attack can undermine confidentiality by exposing user credentials or tokens, integrity by allowing malicious actions or data manipulation, and availability by potentially executing disruptive scripts. Since push access is required, insider threats or compromised developer accounts are primary vectors. The widespread use of OpenProject in industries such as software development, engineering, and project management means that organizations globally could face data breaches, loss of trust, and operational disruptions. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within corporate networks.

Organizations should immediately upgrade OpenProject installations to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1, which contain the necessary fixes to properly escape filenames and prevent XSS injection. Until patches are applied, restrict push access to trusted users only and monitor repository commits for suspicious filenames containing HTML or script tags. Implement web application firewalls (WAFs) with rules to detect and block XSS payloads in repository-related HTTP responses. Educate developers and project members about the risks of opening repository pages with untrusted content. Employ Content Security Policy (CSP) headers to limit script execution scope and reduce impact of potential XSS. Regularly audit user permissions and enforce strong authentication mechanisms to reduce risk of compromised accounts. Finally, monitor logs and user activity for signs of exploitation or anomalous behavior related to repository commits.