CVE Catalog

CVE-2026-44696

MediumCVSS 5.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

OpenProject before version 17.4.0 uses Sanitize::Config::RELAXED[:css] for inline style sanitization in Markdown rendering. This allows authenticated users with write access to inject arbitrary CSS properties in text fields (e.g., work package descriptions, comments).

Risk Assessment

An attacker can modify the interface appearance, hide content, perform phishing attacks, or steal data from other users through manipulated CSS styles.

Recommendation

Immediately update OpenProject to version 17.4.0 or later. If updating is not possible, restrict edit permissions for text fields to trusted users.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS