342 matches found
CVE-2026-22604
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...
CVE-2026-22600
OpenProject is an open-source, web-based project management software. A Local File Read LFR vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file disguised as a PNG as a work package attachment, an...
CVE-2026-22601
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2...
EUVD-2026-1882
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has bee...
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has bee...
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has bee...
CVE-2026-22605
OpenProject (web-based project management) versions prior to 16.6.3 are vulnerable to an insecure direct object reference in meetings. Users with View Meetings permission on any project could access meeting details from projects they do not have access to. This has been patched in version 16.6.3;...
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has bee...
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...
EUVD-2026-1883
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...
CVE-2026-22604
OpenProject (web-based project management software) is affected in versions 11.2.1 through 16.6.1. A flaw exists in the unauthenticated POST request to the /account/change_password endpoint where providing an arbitrary password_change_user_id reveals the username of the targeted account, enabling...
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...
EUVD-2026-1884
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...
CVE-2026-22603
CVE-2026-22603 affects OpenProject before version 16.6.2. The vulnerability is due to an unauthenticated password-change endpoint (/account/change_password) that lacked the same brute-force protections as the login form. An attacker who can guess or enumerate user IDs can send unlimited password-...
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint /account/changepassword was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker...
CVE-2026-22602
CVE-2026-22602 affects OpenProject prior to version 16.6.2. A user with low privileges (logged in) can enumerate and view the full names of other users by iterating through sequential user IDs (e.g., 1, 2, 3, …) or via the OpenProject API, enabling automated retrieval of personal data. The issue ...
CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...