CVE-2026-25764 OpenProject vulnerable to Stored HTML injection

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

CVE-2026-25764 OpenProject vulnerable to Stored HTML injection

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

CVE-2026-24776

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

CVE-2026-24776

OpenProject prior to 17.0.2 vulnerable to a logic flaw in the drag-and-drop handler for agenda items. The target meeting section was not validated to belong to the same meeting (or backlog in recurring meetings), enabling an attacker to move an agenda item to a different meeting, causing confusio...

CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

EUVD-2026-5638

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

PT-2026-6762

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.0.2 Description OpenProject is a web-based project management software. A flaw existed in the drag-and-drop functionality for agenda items, where the system did not verify if the target meeting section belonged...

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 16.6.7 and 17.0.3 had security vulnerabilities. These vulnerabilities stemmed from HTML injection in the time tracking feature, which could lead to cross-site scripting attacks...

OpenProject 操作系统命令注入漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 16.6.7 and 17.0.3 had a vulnerability related to operating system command injection. This vulnerability stemmed from an arbitrary file writing vulnerability present in the repository modification...

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 17.0.2 had security vulnerabilities. These vulnerabilities stemmed from the drag-and-drop processing mechanism, which did not properly check the target meeting details. This could allow attackers...

PT-2026-6805

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the repository changes endpoint '/projects/:project id/repository/changes' when...

PT-2026-6806

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...

CVE-2026-24775

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

CVE-2026-24772

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

CVE-2026-24685

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint /projects/:projectid/repository/diff.diff when rendering a single revision via git show. By...

CVE-2026-24775

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

CVE-2026-24775

OpenProject 17.0.0 added a BlockNote editor extension that may expose internal resources. The vulnerability (CVE-2026-24775) arises because the extension does not properly validate the work package ID when loading details via the OpenProject API, allowing an attacker to craft documents with relat...

CVE-2026-24775

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...