CVE-2026-25764
- Source
- https://cve.org/CVERecord?id=CVE-2026-25764
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25764.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25764
- Aliases
-
- GHSA-q523-c695-h3hp
- Published
- 2026-02-06T22:10:09.715Z
- Modified
- 2026-02-09T02:51:17.878060Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- OpenProject vulnerable to Stored HTML injection
- Details
-
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3.
- Database specific
{ "cwe_ids": [ "CWE-80" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25764.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25764.json
- https://github.com/opf/openproject/releases/tag/v16.6.7
- https://github.com/opf/openproject/releases/tag/v17.0.3
- https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp
- https://nvd.nist.gov/vuln/detail/CVE-2026-25764
Affected packages
Git / github.com/opf/openproject
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opf/openproject
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
11.*
11.2.1
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v17.*
v17.0.0
v17.0.1
v17.0.2
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0-pre
v9.0.2-pre