CVE-2026-32703

{"id": "CVE-2026-32703", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-18T22:16:24.517", "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. En versiones anteriores a la 16.6.9, 17.0.6, 17.1.3 y 17.2.1, el m\u00f3dulo de Repositorios no escapaba correctamente los nombres de archivo mostrados desde los repositorios. Esto permit\u00eda a un atacante con acceso de push al repositorio crear commits con nombres de archivo que inclu\u00edan c\u00f3digo HTML que se inyectaba en la p\u00e1gina sin la sanitizaci\u00f3n adecuada. Esto permit\u00eda un ataque XSS persistente contra todos los miembros de este proyecto que acced\u00edan a la p\u00e1gina de repositorios para mostrar un changeset donde el archivo creado maliciosamente hab\u00eda sido eliminado. Las versiones 16.6.9, 17.0.6, 17.1.3 y 17.2.1 corrigen el problema."}], "lastModified": "2026-03-19T19:23:00.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE", "versionEndExcluding": "16.6.9"}, {"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A", "versionEndExcluding": "17.0.6", "versionStartIncluding": "17.0.0"}, {"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86B90D5D-1A3D-4524-A3CC-F7B7274A4E26", "versionEndExcluding": "17.1.3", "versionStartIncluding": "17.1.0"}, {"criteria": "cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}