Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

openproject — Vulnerabilities & Security Advisories 34

All 34 CVE vulnerabilities found in openproject, with AI-generated Chinese analysis, references, and POCs.

Vendor: opf

CVE IDTitleCVSSSeverityPublished
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup CWE-367 6.5 Medium2026-04-20
CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting CWE-307 7.4 High2026-04-15
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string CWE-89 9.9 Critical2026-04-02
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy CWE-79 9.1 Critical2026-03-18
CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution CWE-89 9.1 Critical2026-03-18
CVE-2026-31974 Blind SSRF on OpenProject instance via webhooks CWE-918 3.0 Low2026-03-11
CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets CWE-863 6.5 Medium2026-03-11
CVE-2026-30236 OpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate CWE-863 4.3 Medium2026-03-11
CVE-2026-30235 Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering CWE-79 6.5 Medium2026-03-11
CVE-2026-30234 OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR) CWE-22 6.5 Medium2026-03-11
CVE-2026-27723 OpenProject: Insufficient access control leads to create Wiki objects belongs unpermitted projects CWE-284 4.3 Medium2026-03-05
CVE-2026-24777 OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts CWE-862 6.7 Medium2026-02-09
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution CWE-78 6.5AIMediumAI2026-02-06
CVE-2026-25764 OpenProject vulnerable to Stored HTML injection CWE-80 3.5 Low2026-02-06
CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer CWE-639 4.3 Medium2026-02-06
CVE-2026-24775 OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension CWE-345 6.3 Medium2026-01-28
CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server CWE-345 8.9 High2026-01-28
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write CWE-77 7.5AIHighAI2026-01-28
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships CWE-862 4.3 Medium2026-01-19
CVE-2026-23646 OpenProject users can delete other user's session, causing them to be logged out CWE-488 6.5 Medium2026-01-19
CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self CWE-79 8.7 High2026-01-19
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings CWE-284 4.3 Medium2026-01-10
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function CWE-200 5.3 -2026-01-10
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function CWE-307 9.8 -2026-01-10
CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID CWE-200 3.5 Low2026-01-10
CVE-2026-22601 OpenProject is Vulnerable to Code Execution in E-Mail function CWE-77 7.2 -2026-01-10
CVE-2026-22600 OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder CWE-200 9.1 Critical2026-01-10
CVE-2025-24892 OpenProject stored HTML injection vulnerability CWE-79 3.5 Low2025-02-10
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration CWE-601 4.7 Medium2024-07-25
CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject CWE-80 7.6 High2024-05-23

All 34 known CVE vulnerabilities affecting openproject with full Chinese analysis, references, and POCs where available.