Lucene search
K

26 matches found

NVD
NVD
added 2026/06/26 8:17 p.m.6 views

CVE-2026-49355

OpenProject is open-source, web-based project management software. Prior to 17.4.0, GET /api/v3/meetings/:meetingid/agendaitems/:agendaitemid discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0...

4.3CVSS0.00214EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 8:17 p.m.6 views

CVE-2026-44735

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedworkpackages permission. The authorization check operates at the project level onl...

6.5CVSS0.0027EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:30 p.m.5 views

CVE-2026-44696

OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text markdown rendering pipeline uses Sanitize::Config::RELAXED:css for inline style sanitization. This configuration permits essentially all CSS properties in style attributes on permitted HTML...

5.7CVSS5.8AI score0.00211EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:29 p.m.5 views

CVE-2026-49355

OpenProject is open-source, web-based project management software. Prior to 17.4.0, GET /api/v3/meetings/:meetingid/agendaitems/:agendaitemid discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0...

4.3CVSS5.8AI score0.00214EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 7:27 p.m.9 views

CVE-2026-44736

OpenProject vulnerability CVE-2026-44736 affects the OpenProject web-based project management platform. The flaw exists in the GET /api/v3/relations endpoint prior to version 17.4.0, allowing any authenticated user to retrieve relations and the titles of work packages they should not have permiss...

6.5CVSS5.9AI score0.00286EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 6:54 p.m.18 views

CVE-2026-52785

OpenProject prior to versions 17.3.3 and 17.4.1 contains a SQL injection in the timestamps functionality. The vulnerability is tied to the baseline comparison feature, where the timestamps parameter can be used to request historic work-package attributes. The issue is fixed in 17.3.3 and 17.4.1. ...

9.9CVSS5.8AI score0.00221EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.5 views

PT-2026-52908

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.4.0 Description An issue exists where the endpoint GET /api/v3/meetings/:meeting id/agenda items/:agenda item id discloses private work package data. This occurs when a linked work package belongs to a project...

4.3CVSS5.8AI score0.00214EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/11 4:27 p.m.2 views

CVE-2026-30239

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

6.5CVSS5.8AI score0.0019EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/03/11 4:27 p.m.3 views

EUVD-2026-11237

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

6.5CVSS5.8AI score0.0019EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/08 1:21 a.m.7 views

CVE-2026-25764

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

3.5CVSS5.4AI score0.00241EPSS
Exploits0References1
NVD
NVD
added 2026/02/06 10:16 p.m.6 views

CVE-2026-25764

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

3.5CVSS0.00241EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/06 10:10 p.m.26 views

CVE-2026-25764 OpenProject vulnerable to Stored HTML injection

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

3.5CVSS0.00241EPSS
Exploits0References3
OSV
OSV
added 2026/02/06 10:10 p.m.6 views

CVE-2026-25764 OpenProject vulnerable to Stored HTML injection

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

3.5CVSS5.4AI score0.00241EPSS
Exploits0References5
EUVD
EUVD
added 2026/02/06 10:10 p.m.6 views

EUVD-2026-5557

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

3.5CVSS5.4AI score0.00241EPSS
Exploits0References3
CVE
CVE
added 2026/02/06 10:10 p.m.12 views

CVE-2026-25764

OpenProject suffers a stored HTML injection in the time-tracking workflow prior to 16.6.7 and 17.0.3. The HTML is not escaped in the work package name, allowing an attacker with administrator privileges to inject HTML into the name when creating time-tracking entries, potentially affecting the Wo...

3.5CVSS5.4AI score0.00241EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.13 views

PT-2026-6806

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...

3.5CVSS5.7AI score0.00241EPSS
Exploits0References8
NVD
NVD
added 2026/01/28 7:16 p.m.8 views

CVE-2026-24775

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

7.3CVSS0.00105EPSS
Exploits0References2
CVE
CVE
added 2026/01/28 6:10 p.m.16 views

CVE-2026-24775

OpenProject 17.0.0 added a BlockNote editor extension that may expose internal resources. The vulnerability (CVE-2026-24775) arises because the extension does not properly validate the work package ID when loading details via the OpenProject API, allowing an attacker to craft documents with relat...

7.3CVSS6AI score0.00105EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/28 6:10 p.m.6 views

CVE-2026-24775

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

6.3CVSS6AI score0.00105EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/28 6:10 p.m.8 views

CVE-2026-24775 OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

6.3CVSS6AI score0.00105EPSS
Exploits0References2
Rows per page
Query Builder