{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T15:18:35.144","vulnerabilities":[{"cve":{"id":"CVE-2026-23625","sourceIdentifier":"security-advisories@github.com","published":"2026-01-19T18:16:05.437","lastModified":"2026-02-02T20:49:09.927","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server."},{"lang":"es","value":"OpenProject es un software de gestión de proyectos de código abierto y basado en la web. Las versiones 16.3.0 a la 16.6.4 están afectadas por una vulnerabilidad de cross-site scripting almacenado en la vista de Hoja de Ruta. La vista de hoja de ruta de OpenProject renderiza la lista de 'Paquetes de trabajo relacionados' para cada versión. Cuando una versión contiene paquetes de trabajo de un proyecto diferente (por ejemplo, un subproyecto), el ayudante link_to_work_package antepone package.project.to_s al enlace y devuelve la cadena completa con .html_safe. Debido a que los nombres de los proyectos son controlados por el usuario y no se produce ningún escape antes de llamar a html_safe, cualquier HTML colocado en el nombre de un subproyecto se inyecta textualmente en la página. El problema subyacente se mitiga en las versiones 16.6.5 y 17.0.0 al establecer un encabezado 'X-Content-Type-Options: nosniff', que estuvo en su lugar hasta una refactorización a la política de seguridad de contenido estándar de Rails, que no aplicó correctamente este encabezado en la nueva configuración desde OpenProject 16.3.0. Aquellos que no puedan actualizar sus instalaciones deben asegurarse de añadir un encabezado 'X-Content-Type-Options: nosniff' en su servidor de aplicaciones web de proxy."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":5.8},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*","versionStartExcluding":"16.3.0","versionEndExcluding":"16.6.5","matchCriteriaId":"9E445CBC-3EAC-4310-BF92-C9DC0CC0AF09"}]}]}],"references":[{"url":"https://github.com/opf/openproject/releases/tag/v16.6.5","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/opf/openproject/releases/tag/v17.0.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx","source":"security-advisories@github.com","tags":["Vendor Advisory","Mitigation"]}]}}]}