CVE Catalog

CVE-2026-52781

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

OpenProject before versions 17.3.3 and 17.4.1 has a vulnerability due to unrestricted data-* attributes in <macro> elements in the HTML sanitizer. An attacker can inject data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(), executing arbitrary Turbo Stream actions including redirect_to to an attacker-controlled server.

Risk Assessment

The risk involves hijacking authenticated user sessions and redirecting them to a malicious server, potentially leading to data theft or further phishing attacks.

Recommendation

Immediately upgrade OpenProject to version 17.3.3 or 17.4.1, which contain the fix for this vulnerability.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS