| Vendor | Product | Version Range | Status |
|---|---|---|---|
| opf | openproject | < 17.4.0 | affected |
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| opf | openproject | < 17.4.0 | - |
| # | POC Description | Source Link | Shenlong Link |
|---|
No public POC found.
Login to generate AI POC| CVE-2026-52782 | 9.9 CRITICAL | OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH para |
| CVE-2026-52785 | 9.9 CRITICAL | OpenProject: SQL injection in timestamps functionality |
| CVE-2026-46386 | 9.9 CRITICAL | OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `S |
| CVE-2026-52780 | 9.6 CRITICAL | OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) |
| CVE-2026-52784 | 8.8 HIGH | OpenProject: CSRF on TARGET through /users/:id via POST parameter "user[admin]" |
| CVE-2026-52783 | 8.2 HIGH | OpenProject: Information Disclosure (cleartext storage of data) on localhost through memca |
| CVE-2026-47193 | 7.5 HIGH | OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks |
| CVE-2026-44734 | 6.5 MEDIUM | OpenProject: Improper Access Control on OpenProject through the POST request to /projects/ |
| CVE-2026-44736 | 6.5 MEDIUM | OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Pa |
| CVE-2026-44735 | 6.5 MEDIUM | OpenProject: Shares API Information Disclosure |
| CVE-2026-52781 | 6.4 MEDIUM | OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work |
| CVE-2026-44733 | 5.9 MEDIUM | OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me |
| CVE-2026-44696 | 5.7 MEDIUM | OpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing ove |
| CVE-2026-52779 | 5.4 MEDIUM | OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team P |
| CVE-2026-44731 | 4.3 MEDIUM | OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetin |
| CVE-2026-44732 | 4.3 MEDIUM | OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "proje |
No comments yet