CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:17 p.m.•5 views

CVE-2026-33667

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS5.4AI score0.00296EPSS

Cvelist•added 2026/04/20 3:12 p.m.•26 views

CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup

6.5CVSS0.00174EPSS

Exploits1References2

EUVD•added 2026/04/20 3:12 p.m.•5 views

EUVD-2026-23870

CVE•added 2026/04/20 3:12 p.m.•17 views

Exploits1References2

CVE-2026-40896

CVE-2026-40896 concerns OpenProject before version 17.3.0, where a user with the low-privilege permission manage_agendas in any project can inject agenda items into meetings across other projects due to an unscoped section lookup vulnerability. The attack does not require knowledge of the target ...

7.1CVSS5.8AI score0.00174EPSS

Exploits1References2Affected Software1

ATTACKERKB•added 2026/04/20 3:12 p.m.•1 views

CVE-2026-40896

Exploits1References3Affected Software1

Vulnrichment•added 2026/04/20 3:12 p.m.•2 views

CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup

CNNVD•added 2026/04/20 12:0 a.m.•7 views

Exploits1References2

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 17.3.0 had security vulnerabilities. These vulnerabilities stemmed from the ability of users with manage-agendas permissions to insert agenda items into meetings of arbitrary projects, potentiall...

7.1CVSS5.9AI score0.00174EPSS

Positive Technologies•added 2026/04/20 12:0 a.m.•6 views

PT-2026-33783

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...

NVD•added 2026/04/15 7:16 p.m.•6 views

Exploits1References5

CVE-2026-33667

7.4CVSS0.00296EPSS

Vulnrichment•added 2026/04/15 6:43 p.m.•1 views

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

ATTACKERKB•added 2026/04/15 6:43 p.m.•1 views

CVE-2026-33667

Exploits1References2Affected Software1

Cvelist•added 2026/04/15 6:43 p.m.•20 views

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

7.4CVSS0.00296EPSS

CVE•added 2026/04/15 6:43 p.m.•12 views

CVE-2026-33667

OpenProject contains a 2FA bypass in versions before 17.3.0 due to missing rate limiting/lockout on the confirm_otp step of two_factor_authentication. The 2FA verification path (OTP and backup code) does not increment failed-attempt counters or apply delays, while the TOTP window allows roughly f...

Exploits1References1Affected Software1

CNNVD•added 2026/04/15 12:0 a.m.•6 views

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 17.3.0 had security vulnerabilities. These vulnerabilities stemmed from the two-factor authentication module’s confirmotp operation, where the 2FA OTP verification lacked rate limiting, a lockout...