Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

opf — Vulnerabilities & Security Advisories 34

Browse all 34 CVE security advisories affecting opf. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by opf:openproject
CVE IDTitleCVSSSeverityPublished
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup — openprojectCWE-367 6.5 Medium2026-04-20
CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting — openprojectCWE-307 7.4 High2026-04-15
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string — openprojectCWE-89 9.9 Critical2026-04-02
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy — openprojectCWE-79 9.1 Critical2026-03-18
CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution — openprojectCWE-89 9.1 Critical2026-03-18
CVE-2026-31974 Blind SSRF on OpenProject instance via webhooks — openprojectCWE-918 3.0 Low2026-03-11
CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets — openprojectCWE-863 6.5 Medium2026-03-11
CVE-2026-30236 OpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate — openprojectCWE-863 4.3 Medium2026-03-11
CVE-2026-30235 Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering — openprojectCWE-79 6.5 Medium2026-03-11
CVE-2026-30234 OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR) — openprojectCWE-22 6.5 Medium2026-03-11
CVE-2026-27723 OpenProject: Insufficient access control leads to create Wiki objects belongs unpermitted projects — openprojectCWE-284 4.3 Medium2026-03-05
CVE-2026-24777 OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts — openprojectCWE-862 6.7 Medium2026-02-09
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution — openprojectCWE-78 6.5AIMediumAI2026-02-06
CVE-2026-25764 OpenProject vulnerable to Stored HTML injection — openprojectCWE-80 3.5 Low2026-02-06
CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer — openprojectCWE-639 4.3 Medium2026-02-06
CVE-2026-24775 OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension — openprojectCWE-345 6.3 Medium2026-01-28
CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server — openprojectCWE-345 8.9 High2026-01-28
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write — openprojectCWE-77 7.5AIHighAI2026-01-28
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships — openprojectCWE-862 4.3 Medium2026-01-19
CVE-2026-23646 OpenProject users can delete other user's session, causing them to be logged out — openprojectCWE-488 6.5 Medium2026-01-19
CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self — openprojectCWE-79 8.7 High2026-01-19
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings — openprojectCWE-284 4.3 Medium2026-01-10
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function — openprojectCWE-200 5.3 -2026-01-10
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function — openprojectCWE-307 9.8 -2026-01-10
CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID — openprojectCWE-200 3.5 Low2026-01-10
CVE-2026-22601 OpenProject is Vulnerable to Code Execution in E-Mail function — openprojectCWE-77 7.2 -2026-01-10
CVE-2026-22600 OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder — openprojectCWE-200 9.1 Critical2026-01-10
CVE-2025-24892 OpenProject stored HTML injection vulnerability — openprojectCWE-79 3.5 Low2025-02-10
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration — openprojectCWE-601 4.7 Medium2024-07-25
CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject — openprojectCWE-80 7.6 High2024-05-23

This page lists every published CVE security advisory associated with opf. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.