Volerion logoVolerion
Volerion logoVolerion

OpenProject Repositories Module Persistent Cross-Site Scripting Vulnerability

Vulnerability

A persistent cross-site scripting vulnerability has been identified in the Repositories module of OpenProject, affecting versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The issue arises because the module did not properly escape filenames from repositories. This flaw allowed an attacker with push access to inject HTML into filenames, which was then executed on the page without adequate sanitization. As a result, all project members who accessed the repositories page could be exposed to a changeset displaying the maliciously crafted file as deleted.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected HTML is executed in the context of the user viewing the affected repository.

Remediation

Users can upgrade to OpenProject versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 to address this vulnerability.

Added: Mar 18, 2026, 10:31 PM
Updated: Mar 18, 2026, 10:31 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
1.7
exploitability
4.8
remediation
7.7
relevance
4.1
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.