CVE-2026-52781: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in opf openproject
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.
AI Analysis
Technical Summary
CVE-2026-52781 is a cross-site scripting vulnerability in OpenProject, an open-source web-based project management software. The issue arises because the HTML sanitizer improperly allows <macro> elements to have unrestricted data-* attributes via a :data wildcard. An attacker can exploit this by injecting data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This leads to execution of arbitrary Turbo Stream actions, such as redirect_to, in every authenticated victim's browser session, redirecting users to attacker-controlled servers. The vulnerability is resolved in OpenProject versions 17.3.3 and 17.4.1.
Potential Impact
Successful exploitation allows an attacker with at least low privileges to execute arbitrary Turbo Stream actions in authenticated users' browsers without user interaction. This can lead to redirection of users to attacker-controlled servers, potentially facilitating phishing or further attacks. The confidentiality and integrity of user sessions are impacted, but availability is not affected.
Mitigation Recommendations
This vulnerability is fixed in OpenProject versions 17.3.3 and 17.4.1. Users should upgrade to at least these versions to remediate the issue. No other mitigation or temporary fix is indicated.
CVE-2026-52781: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in opf openproject
Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.
CVSS v3.1
Score 6.4medium
Affected software
pkg:github/opf/openprojectRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-52781 is a cross-site scripting vulnerability in OpenProject, an open-source web-based project management software. The issue arises because the HTML sanitizer improperly allows <macro> elements to have unrestricted data-* attributes via a :data wildcard. An attacker can exploit this by injecting data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This leads to execution of arbitrary Turbo Stream actions, such as redirect_to, in every authenticated victim's browser session, redirecting users to attacker-controlled servers. The vulnerability is resolved in OpenProject versions 17.3.3 and 17.4.1.
Potential Impact
Successful exploitation allows an attacker with at least low privileges to execute arbitrary Turbo Stream actions in authenticated users' browsers without user interaction. This can lead to redirection of users to attacker-controlled servers, potentially facilitating phishing or further attacks. The confidentiality and integrity of user sessions are impacted, but availability is not affected.
Mitigation Recommendations
This vulnerability is fixed in OpenProject versions 17.3.3 and 17.4.1. Users should upgrade to at least these versions to remediate the issue. No other mitigation or temporary fix is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-08T17:13:43.065Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3ed4eb72d29f1837ec3426
Added to database: 06/26/2026, 19:37:15 UTC
Last enriched: 06/26/2026, 19:52:43 UTC
Last updated: 06/26/2026, 21:08:12 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.