Lucene search
K

23 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/26 7:32 p.m.5 views

CVE-2026-44735

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedworkpackages permission. The authorization check operates at the project level onl...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/26 7:32 p.m.22 views

CVE-2026-44735 OpenProject: Shares API Information Disclosure

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedworkpackages permission. The authorization check operates at the project level onl...

6.5CVSS0.0027EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:32 p.m.10 views

CVE-2026-44735

Technical details for CVE-2026-44735 are not publicly available in the provided documents. Monitor for updates.

6.5CVSS5.8AI score0.0027EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:27 p.m.22 views

CVE-2026-44736 OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS0.00286EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:0 p.m.28 views

CVE-2026-52781 OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data- attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount ...

6.4CVSS0.0015EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:0 p.m.12 views

CVE-2026-52781

OpenProject CVE-2026-52781 affects the open-source, web-based project management software. Prior to versions 17.3.3 and 17.4.1, the HTML sanitizer allowed elements to have unrestricted data-* attributes via a :data wildcard. An attacker could inject data-controller="poll-for-changes" into a work...

6.4CVSS5.9AI score0.0015EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 6:54 p.m.7 views

CVE-2026-52785

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fix...

9.9CVSS5.8AI score0.00221EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.9 views

PT-2026-52904

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.2 OpenProject versions prior to 17.4.0 Description An authorization flaw exists where the 'GET /api/v3/shares' endpoint returns share details for all work packages within a project to any user possessing the...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.5 views

CVE-2026-30239

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

7.1CVSS5.8AI score0.0019EPSS
Exploits0References1
NVD
NVD
added 2026/03/11 5:16 p.m.6 views

CVE-2026-30239

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

7.1CVSS0.0019EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/11 4:27 p.m.3 views

CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

6.5CVSS5.8AI score0.0019EPSS
Exploits0References1
CVE
CVE
added 2026/03/11 4:27 p.m.12 views

CVE-2026-30239

OpenProject has a permission check bypass vulnerability in budget deletion prior to version 17.2.0. When budgets were deleted, all work packages assigned to the deleted budget could be reassigned or cleared because the check on the delete action executed after the reassignment operation, allowing...

7.1CVSS5.8AI score0.0019EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/03/11 4:27 p.m.5 views

CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

6.5CVSS5.8AI score0.0019EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/11 4:27 p.m.28 views

CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. Thi...

6.5CVSS0.0019EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.7 views

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 17.2.0 had security vulnerabilities. These vulnerabilities stemmed from a flaw where, when deleting budgets, the work packages assigned to those budgets were moved before the permission checks...

7.1CVSS5.8AI score0.0019EPSS
Exploits0References1
EUVD
EUVD
added 2026/01/28 6:10 p.m.6 views

EUVD-2026-4878

OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work...

6.3CVSS6AI score0.00105EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.16 views

OpenProject data falsification vulnerability

OpenProject is an open-source web-based project management software. In versions 17.0.0 to 17.0.2 of OpenProject, there was a data manipulation vulnerability. This vulnerability stemmed from the BlockNote editor extension not properly verifying work package IDs, allowing arbitrary GET requests to...

7.3CVSS5.9AI score0.00105EPSS
Exploits0References3
NVD
NVD
added 2026/01/19 6:16 p.m.8 views

CVE-2026-23625

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...

8.7CVSS0.00207EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/19 5:41 p.m.21 views

CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...

8.7CVSS0.00207EPSS
Exploits0References3
OSV
OSV
added 2026/01/19 5:41 p.m.5 views

CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work...

8.7CVSS5.1AI score0.00207EPSS
Exploits0References5
Rows per page
Query Builder