VYPR

Openproject

by Opf

Source repositories

CVEs (37)

  • CVE-2026-23721Jan 19, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions…

  • CVE-2026-23646Jan 19, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the…

  • CVE-2026-23625Jan 19, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When…

  • CVE-2026-22605Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to.…

  • CVE-2026-22604Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting…

  • CVE-2026-22603Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In…

  • CVE-2026-22602Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete…

  • CVE-2026-22601Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.

  • CVE-2026-22600Jan 10, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work…

  • CVE-2025-24892Feb 10, 2025
    risk 0.00cvss epss 0.00

    OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before…

  • CVE-2024-41801Jul 25, 2024
    risk 0.00cvss epss 0.00

    OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack…

  • CVE-2024-35224May 23, 2024
    risk 0.00cvss epss 0.00

    OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the…

  • CVE-2023-33960Jun 1, 2023
    risk 0.00cvss epss 0.01

    OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the…

  • CVE-2023-31140May 8, 2023
    risk 0.00cvss epss 0.01

    OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not…

  • CVE-2021-43830Dec 14, 2021
    risk 0.00cvss epss 0.01

    OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently…

  • CVE-2021-32763Jul 20, 2021
    risk 0.00cvss epss 0.01

    OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip ``…

  • CVE-2019-17092Oct 9, 2019
    risk 0.00cvss epss 0.02

    An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.

Page 2 of 2