CVE-2026-44696

Name: CVE-2026-44696 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-44696

MEDIUM

CVSS v3.1: 5.7

NetworkXSSVendor advisory ref

Source data as of: 2026-06-27 05:07:21 UTC

At a glance

Severity: MEDIUM
CVSS: 5.7 v3.1 · NVD
EPSS: EPSS not provided by FIRST.org for this CVE
CISA KEV: No
Type: XSS · NVD CWE
Attack conditions (CVSS vector): Network · Source: NVD Vector
Published: 2026-06-26 · Modified: 2026-06-27
References: Jump to references (1)

CVSS / EPSS / KEV

CVSS v3.1 5.7 / 10 MEDIUM Source: NVD

EPSS — EPSS not provided by FIRST.org for this CVE Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.

Record details

CVE ID: CVE-2026-44696
CVSS (v3.1): 5.7 (MEDIUM)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Exploitability subscore: 2.1
Impact subscore: 3.6
CISA KEV: No
Weakness (CWE): CWE-79
Affected configurations (CPE): 0
Published: 2026-06-26
Modified: 2026-06-27
Status: Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Vendor advisory https://github.com/opf/openproject/security/advisories/GHSA-j9q2-49mp-hmq5

← Back to all records

CVE-2026-44696

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same weakness type (CWE)

Published the same year