CVE-2026-44696

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
Configurations

No configuration.

History

27 Jun 2026, 04:17

Type Values Removed Values Added
References () https://github.com/opf/openproject/security/advisories/GHSA-j9q2-49mp-hmq5 - () https://github.com/opf/openproject/security/advisories/GHSA-j9q2-49mp-hmq5 -

26 Jun 2026, 20:20

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 20:17

Updated : 2026-06-27 04:17


NVD link : CVE-2026-44696

Mitre link : CVE-2026-44696

CVE.ORG link : CVE-2026-44696


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')