CVE-2026-25764 – OpenProject versions before 16.6.7 and 17.0.3 c... (How to Fix)

Q: What is the severity of CVE-2026-25764?

CVE-2026-25764 has a CVSS score of 3.5 (LOW). OpenProject versions before 16.6.7 and 17.0.3 contain an HTML injection vulnerability in the time tracking function. An attacker with administrator privileges can inject HTML tags into work package names, potentially leading to cross-site scripting attacks. This affects all OpenProject installations running vulnerable versions.

📋 TL;DR

OpenProject versions before 16.6.7 and 17.0.3 contain an HTML injection vulnerability in the time tracking function. An attacker with administrator privileges can inject HTML tags into work package names, potentially leading to cross-site scripting attacks. This affects all OpenProject installations running vulnerable versions.

💻 Affected Systems

Products:

OpenProject

Versions: All versions before 16.6.7 and 17.0.3

Operating Systems: All platforms running OpenProject

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privileges to exploit. Affects the time tracking function specifically.

📦 What is this software?

Openproject by Openproject

View all CVEs affecting Openproject →

Openproject by Openproject

View all CVEs affecting Openproject →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator could inject malicious scripts that execute in other users' browsers, potentially stealing session cookies or performing actions on behalf of users.

🟠

Likely Case

Limited HTML injection allowing content manipulation or basic phishing attempts within the application interface.

🟢

If Mitigated

No impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: MEDIUM - While exploitation requires admin privileges, internet-facing instances could be targeted by compromised admin accounts.

🏢 Internal Only: MEDIUM - Internal attackers with admin access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator privileges. The vulnerability is straightforward HTML injection without proper escaping.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.6.7 or 17.0.3

Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp

Restart Required: Yes

Instructions:

1. Backup your OpenProject installation and database. 2. Update to OpenProject 16.6.7 (for 16.x branch) or 17.0.3 (for 17.x branch). 3. Restart the OpenProject service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Restriction

all

Implement additional input validation to reject HTML tags in work package names

Not applicable - requires code modification

🧯 If You Can't Patch

Restrict administrator privileges to trusted users only
Monitor for suspicious HTML content in work package names

🔍 How to Verify

Check if Vulnerable:

Check OpenProject version via admin interface or by examining the installation directory. Versions below 16.6.7 or 17.0.3 are vulnerable.

Check Version:

Check OpenProject admin dashboard or run: grep 'version' /path/to/openproject/config/application.rb

Verify Fix Applied:

After updating, verify version is 16.6.7 or higher (16.x branch) or 17.0.3 or higher (17.x branch). Test time tracking function with HTML in work package names.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML content in work package creation logs
Multiple work package creations with special characters

Network Indicators:

HTTP requests containing HTML tags in work package name parameters

SIEM Query:

source="openproject" AND (work_package.name CONTAINS "<" OR work_package.name CONTAINS ">")

📊 Metadata

CVE ID: CVE-2026-25764

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

CWE: CWE-80

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: February 6, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/opf/openproject/releases/tag/v16.6.7 Product,Release Notes
https://github.com/opf/openproject/releases/tag/v17.0.3 Product,Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25764, you might also want to check these: