CVE-2026-52781 — MEDIUM (6.4)

Vulnerability Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(). This executes arbitrary Turbo Stream actions — including redirect_to — in every victim's authenticated browser session, redirecting them to an attacker-controlled server. This vulnerability is fixed in 17.3.3 and 17.4.1.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Related Weaknesses (CWE)

CWE-79

References

https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x

FAQ

What is CVE-2026-52781?

CVE-2026-52781 is a vulnerability with a CVSS score of 6.4 (MEDIUM). OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacker...

How severe is CVE-2026-52781?

CVE-2026-52781 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-52781?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.