CVE-2026-44696
MediumCVSS 5.7Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
OpenProject before version 17.4.0 uses Sanitize::Config::RELAXED[:css] for inline style sanitization in Markdown rendering. This allows authenticated users with write access to inject arbitrary CSS properties in text fields (e.g., work package descriptions, comments).
Risk Assessment
An attacker can modify the interface appearance, hide content, perform phishing attacks, or steal data from other users through manipulated CSS styles.
Recommendation
Immediately update OpenProject to version 17.4.0 or later. If updating is not possible, restrict edit permissions for text fields to trusted users.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.

