CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-44696

mediumCVSS 5.7covered by 1 sourcefirst seen 2026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML elements (figure, img, table, th, tr, td). This allows any authenticated user with write access to formattable text fields (work package descriptions, comments, project descriptions, news) to inject CSS This vulnerability is fixed in 17.4.0.

⚡ Watch CVE-2026-44696

Get an email if CVE-2026-44696 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-44696

CVE.org record

Embed the live status

CVE-2026-44696 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-44696 status](https://www.csirts.com/badge/CVE-2026-44696)](https://www.csirts.com/cve/CVE-2026-44696)