CVE-2026-32703 is a critical security vulnerability classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting) found in OpenProject, an open-source project management tool. The vulnerability affects the Repositories module in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The root cause is the failure to properly escape or sanitize filenames displayed from repository commits. An attacker with push access to the repository can create commits containing filenames embedded with malicious HTML or JavaScript code. When other project members access the repositories page displaying a changeset that includes such a filename (notably when the malicious file is deleted), the injected script executes in their browsers. This persistent XSS attack can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or further malware delivery. The vulnerability requires the attacker to have authenticated push access, and victims must interact by viewing the affected page. The CVSS v3.1 score is 9.1, reflecting network exploitability, low attack complexity, required privileges, user interaction, and high impact on confidentiality, integrity, and availability with scope change. The issue is resolved in OpenProject versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1. No public exploits have been reported yet, but the high severity and ease of exploitation warrant urgent patching.

This vulnerability poses a significant risk to organizations using OpenProject for project management, especially those with multiple collaborators having push access to repositories. Successful exploitation can lead to persistent XSS attacks that compromise user sessions, steal sensitive project data, and enable unauthorized actions within the application. The attack can affect confidentiality by exposing user credentials or tokens, integrity by allowing unauthorized changes or commands, and availability if attackers disrupt user access or inject malicious payloads causing application instability. Since the vulnerability requires push access, insider threats or compromised accounts are primary vectors. The scope of affected systems includes all users who access the vulnerable repositories page, potentially impacting entire project teams. Given OpenProject’s use in various industries for managing sensitive projects, the impact can extend to intellectual property theft, project sabotage, and broader organizational security breaches.

Organizations should immediately upgrade OpenProject installations to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 or later, where the vulnerability is patched. Restrict repository push access strictly to trusted users and enforce strong authentication mechanisms such as multi-factor authentication to reduce risk of account compromise. Implement web application firewalls (WAFs) with rules to detect and block suspicious HTML/JavaScript payloads in repository metadata if upgrading is temporarily not possible. Conduct regular code reviews and security audits of repository content and commit metadata to detect anomalous entries. Educate users to be cautious when viewing repository pages and report suspicious behavior. Monitor logs for unusual push activity or repository changes. Consider isolating critical projects or sensitive repositories with additional access controls. Finally, maintain an incident response plan to quickly address any exploitation attempts.