Vendor CVEs
Opf
All CVEs
37 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34717 | Cri | 0.57 | 9.9 | 0.00 | Apr 2, 2026 | OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version… | ||
| CVE-2017-11667 | Hig | 0.53 | 8.1 | 0.01 | Jul 26, 2017 | OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | ||
| CVE-2026-33667 | Hig | 0.48 | 7.4 | 0.00 | Apr 15, 2026 | OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing… | ||
| CVE-2026-40896 | Med | 0.35 | 6.5 | 0.00 | Apr 20, 2026 | OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No… | ||
| CVE-2019-11600 | 0.02 | — | 0.80 | May 13, 2019 | A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access. | |||
| CVE-2026-32703 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to… | |||
| CVE-2026-32698 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected… | |||
| CVE-2026-31974 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether… | |||
| CVE-2026-30239 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action… | |||
| CVE-2026-30236 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate… | |||
| CVE-2026-30235 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink… | |||
| CVE-2026-30234 | 0.00 | — | 0.00 | Mar 11, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local… | |||
| CVE-2026-27723 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2. | |||
| CVE-2026-24777 | 0.00 | — | 0.00 | Feb 9, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock… | |||
| CVE-2026-25763 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest… | |||
| CVE-2026-25764 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges… | |||
| CVE-2026-24776 | 0.00 | — | 0.00 | Feb 6, 2026 | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring… | |||
| CVE-2026-24775 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the… | |||
| CVE-2026-24772 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours,… | |||
| CVE-2026-24685 | 0.00 | — | 0.00 | Jan 28, 2026 | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single… | |||
| CVE-2026-23721 | 0.00 | — | 0.00 | Jan 19, 2026 | OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions… | |||
| CVE-2026-23646 | 0.00 | — | 0.00 | Jan 19, 2026 | OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the… | |||
| CVE-2026-23625 | 0.00 | — | 0.00 | Jan 19, 2026 | OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When… | |||
| CVE-2026-22605 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to.… | |||
| CVE-2026-22604 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting… | |||
| CVE-2026-22603 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In… | |||
| CVE-2026-22602 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete… | |||
| CVE-2026-22601 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2. | |||
| CVE-2026-22600 | 0.00 | — | 0.00 | Jan 10, 2026 | OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work… | |||
| CVE-2025-24892 | 0.00 | — | 0.00 | Feb 10, 2025 | OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before… | |||
| CVE-2024-41801 | 0.00 | — | 0.00 | Jul 25, 2024 | OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack… | |||
| CVE-2024-35224 | 0.00 | — | 0.00 | May 23, 2024 | OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the… | |||
| CVE-2023-33960 | 0.00 | — | 0.01 | Jun 1, 2023 | OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the… | |||
| CVE-2023-31140 | 0.00 | — | 0.01 | May 8, 2023 | OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not… | |||
| CVE-2021-43830 | 0.00 | — | 0.01 | Dec 14, 2021 | OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently… | |||
| CVE-2021-32763 | 0.00 | — | 0.01 | Jul 20, 2021 | OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip ``… | |||
| CVE-2019-17092 | 0.00 | — | 0.02 | Oct 9, 2019 | An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled. |
- risk 0.57cvss 9.9epss 0.00
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version…
- risk 0.53cvss 8.1epss 0.01
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
- risk 0.48cvss 7.4epss 0.00
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…
- risk 0.35cvss 6.5epss 0.00
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No…
- CVE-2019-11600May 13, 2019risk 0.02cvss —epss 0.80
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not to require authentication for API access.
- CVE-2026-32703Mar 18, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to…
- CVE-2026-32698Mar 18, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected…
- CVE-2026-31974Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether…
- CVE-2026-30239Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action…
- CVE-2026-30236Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate…
- CVE-2026-30235Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink…
- CVE-2026-30234Mar 11, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local…
- CVE-2026-27723Mar 5, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.
- CVE-2026-24777Feb 9, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock…
- CVE-2026-25763Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest…
- CVE-2026-25764Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges…
- CVE-2026-24776Feb 6, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring…
- CVE-2026-24775Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the…
- CVE-2026-24772Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours,…
- CVE-2026-24685Jan 28, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single…
- CVE-2026-23721Jan 19, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions…
- CVE-2026-23646Jan 19, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the…
- CVE-2026-23625Jan 19, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When…
- CVE-2026-22605Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to.…
- CVE-2026-22604Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting…
- CVE-2026-22603Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In…
- CVE-2026-22602Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete…
- CVE-2026-22601Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
- CVE-2026-22600Jan 10, 2026risk 0.00cvss —epss 0.00
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work…
- CVE-2025-24892Feb 10, 2025risk 0.00cvss —epss 0.00
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management section. Groups created with HTML script tags are not properly escaped before…
- CVE-2024-41801Jul 25, 2024risk 0.00cvss —epss 0.00
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack…
- CVE-2024-35224May 23, 2024risk 0.00cvss —epss 0.00
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the…
- CVE-2023-33960Jun 1, 2023risk 0.00cvss —epss 0.01
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the…
- CVE-2023-31140May 8, 2023risk 0.00cvss —epss 0.01
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not…
- CVE-2021-43830Dec 14, 2021risk 0.00cvss —epss 0.01
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently…
- CVE-2021-32763Jul 20, 2021risk 0.00cvss —epss 0.01
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip ``…
- CVE-2019-17092Oct 9, 2019risk 0.00cvss —epss 0.02
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.