OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
References
Configurations
No configuration.
History
27 Jun 2026, 04:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/opf/openproject/security/advisories/GHSA-j9q2-49mp-hmq5 - |
26 Jun 2026, 20:20
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 20:17
Updated : 2026-06-27 04:17
NVD link : CVE-2026-44696
Mitre link : CVE-2026-44696
CVE.ORG link : CVE-2026-44696
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
