CVE-2026-44696 - CERT CVE
ID CVE-2026-44696
Sažetak OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.
Reference
CVSS
Base: 5.7
Impact: 3.6
Exploitability:2.1
Pristup
VektorSloženostAutentikacija
NETWORK LOW LOW
Impact
PovjerljivostCjelovitostDostupnost
NONE HIGH NONE
CVSS vektor CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Zadnje važnije ažuriranje 26-06-2026 - 20:20
Objavljeno 26-06-2026 - 20:17