Home / Vulnerability Intelligence / CVE-2026-32703

CVE-2026-32703 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: March 19, 2026

OpenProject - Stored XSS

Published: March 18, 2026Updated: March 19, 2026Remote Exploitable

Overview

OpenProject < 16.6.9, < 17.0.6, < 17.1.3, and < 17.2.1 contain a stored XSS caused by improper escaping of filenames in the Repositories module, letting attackers with push access execute scripts for project members viewing the changeset page.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 3.3%(Probability of exploitation in next 30 days)

Impact

Attackers with push access can execute persistent scripts in project members' browsers, potentially stealing data or performing actions on their behalf.

Mitigation

Update to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 or later.

References

https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 19, 2026

🚨 OpenProject CRITICAL XSS (CVE-2026-32703): Attackers with repo push access can inject persistent scripts via filenames, impacting all users viewing affected pages. Patch to 16.6.9/17.0.6/17.1.3/17.2.1+ now! https://radar.offseq.com/threat/cve-2026-32703-cwe-79-improper-neutralization-of-i-f2afc489 #OffSeq #XSS #OpenProject #infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-32703
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: confirmed
EPSS: 3.3%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score

3.3%Probability of exploitation in the next 30 days