VYPR
Vendor

Opf

Products
1
CVEs
37
Across products
37
Status
Private

Products

1

Recent CVEs

37
View all 37 CVEs →
  • CVE-2026-34717CriApr 2, 2026
    risk 0.57cvss 9.9epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version…

  • CVE-2017-11667HigJul 26, 2017
    risk 0.53cvss 8.1epss 0.01

    OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.

  • CVE-2026-33667HigApr 15, 2026
    risk 0.48cvss 7.4epss 0.00

    OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…

  • CVE-2026-40896MedApr 20, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No…

  • CVE-2019-11600May 13, 2019
    risk 0.02cvss epss 0.80

    A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.

  • CVE-2026-32703Mar 18, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to…

  • CVE-2026-32698Mar 18, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected…

  • CVE-2026-31974Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether…

  • CVE-2026-30239Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action…

  • CVE-2026-30236Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate…

  • CVE-2026-30235Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink…

  • CVE-2026-30234Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local…

  • CVE-2026-27723Mar 5, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.

  • CVE-2026-24777Feb 9, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock…

  • CVE-2026-25763Feb 6, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest…

  • CVE-2026-25764Feb 6, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges…

  • CVE-2026-24776Feb 6, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring…

  • CVE-2026-24775Jan 28, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the…

  • CVE-2026-24772Jan 28, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours,…

  • CVE-2026-24685Jan 28, 2026
    risk 0.00cvss epss 0.00

    OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single…