770 matches found
Leantime < 2.4 - Authenticated SQL Injection
Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...
CVE-2026-13504
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed...
EUVD-2026-40002
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed...
CVE-2026-13504
CVE-2026-13504 affects code-projects Project Management System 1.0, specifically the /mail.php Mail Compose Page. The vulnerability is a cross-site scripting flaw in unknown code paths within that file, exploitable remotely and with user interaction required. The description notes public disclosu...
CVE-2026-13504 code-projects Project Management System Mail Compose mail.php cross site scripting
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed...
CVE-2026-13490
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be...
PT-2026-53115
Name of the Vulnerable Software and Affected Versions code-projects Project Management System version 1.0 Description Cross site scripting XSS occurs in the Mail Compose Page component within the /mail.php endpoint. This issue allows a remote attacker to execute malicious scripts through the...
PT-2026-52911
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description Cache store poisoning allows for Remote Code Execution RCE, a process where an attacker executes arbitrary code on a remote machine. Recommendations Update t...
CVE-2026-46558
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1...
CVE-2026-46558 Plane: Cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1...
EUVD-2026-36066
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1...
CVE-2026-10285
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack i...
CVE-2026-39374
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...
GHSA-M8XG-8XG9-MXHM Nuclio: Missing authorization on project write paths allows any authenticated user to modify or delete any project
This vulnerability exists in Nuclio Dashboard's project management API, allowing any authenticated user without membership in the target project to bypass OPA authorization checks on write paths PUT /api/projects/id, DELETE /api/projects and modify or delete any project along with all its...
CVE-2026-10284
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-10284
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to...
CVE-2026-10285
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack i...
CVE-2026-10285
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack i...
CVE-2026-10285 DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack i...
CVE-2026-10285
The CVE-2026-10285 affects DevaslanPHP project-management (up to 2.0.0-beta1). The issue lies in KanbanScrumHelper::recordUpdated (file app/Helpers/KanbanScrumHelper.php) where manipulation leads to improper authorization, enabling a remote attack. The available sources do not specify exploit vec...