HTML Sanitization Flaw in OpenProject Affects Web-Based Project Management Software
CVE-2026-52781

6.4MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-52781?

OpenProject, an open-source web-based project management software, is vulnerable due to a flaw in its HTML sanitizer. This flaw allows attackers to exploit the unrestricted data-* attributes associated with elements. By injecting a data-controller attribute into a work package description, an attacker can mount a controller that fetches malicious attachments. This exploit can lead to the execution of arbitrary Turbo Stream actions, potentially redirecting victims to malicious servers. Users should update to versions 17.3.3 or 17.4.1 to mitigate this risk.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52781 Data

JSON

Opf

What is CVE-2026-52781?

Affected Version(s)

References

CVSS V3.1

Timeline