Opf
Products
1- 37 CVEs
Recent CVEs
37| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34717 | Cri | 0.57 | 9.9 | 0.00 | Apr 2, 2026 | OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version… | ||
| CVE-2017-11667 | Hig | 0.53 | 8.1 | 0.01 | Jul 26, 2017 | OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | ||
| CVE-2026-33667 | Hig | 0.48 | 7.4 | 0.00 | Apr 15, 2026 | OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing… | ||
| CVE-2026-40896 | Med | 0.35 | 6.5 | 0.00 | Apr 20, 2026 | OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No… | ||
| CVE-2019-11600 | 0.02 | — | 0.80 | May 13, 2019 | A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access. | |||
| CVE-2026-32703 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to… | |||
| CVE-2026-32698 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected… | |||
| CVE-2026-31974 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether… | |||
| CVE-2026-30239 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action… | |||
| CVE-2026-30236 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate… | |||
| CVE-2026-30235 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink… | |||
| CVE-2026-30234 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local… | |||
| CVE-2026-27723 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2. | |||
| CVE-2026-24777 | 0.00 | — | 0.00 | Feb 9, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock… | |||
| CVE-2026-25763 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest… | |||
| CVE-2026-25764 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges… | |||
| CVE-2026-24776 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring… | |||
| CVE-2026-24775 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the… | |||
| CVE-2026-24772 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours,… | |||
| CVE-2026-24685 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single… |
- risk 0.57cvss 9.9epss 0.00
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version…
- risk 0.53cvss 8.1epss 0.01
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
- risk 0.48cvss 7.4epss 0.00
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…
- risk 0.35cvss 6.5epss 0.00
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No…
- CVE-2019-11600May 13, 2019risk 0.02cvss —epss 0.80
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
- CVE-2026-32703Mar 18, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to…
- CVE-2026-32698Mar 18, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected…
- CVE-2026-31974Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether…
- CVE-2026-30239Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action…
- CVE-2026-30236Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate…
- CVE-2026-30235Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink…
- CVE-2026-30234Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local…
- CVE-2026-27723Mar 5, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.
- CVE-2026-24777Feb 9, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock…
- CVE-2026-25763Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest…
- CVE-2026-25764Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges…
- CVE-2026-24776Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring…
- CVE-2026-24775Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the…
- CVE-2026-24772Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours,…
- CVE-2026-24685Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single…