13 matches found
CVE-2026-30234 OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR)
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF import permissions can upload a crafted .bcf archive where the value in markup.bcf is manipulated to contain an absolute or traversal local path for example: /etc/passwd...
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint /projects/:projectid/repository/diff.diff when rendering a single revision via git show. By...
OpenProject data falsification vulnerability
OpenProject is an open-source web-based project management software. In versions 17.0.0 to 17.0.2 of OpenProject, there was a data manipulation vulnerability. This vulnerability stemmed from the BlockNote editor extension not properly verifying work package IDs, allowing arbitrary GET requests to...
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, d...
CVE-2026-22603
CVE-2026-22603 affects OpenProject before version 16.6.2. The vulnerability is due to an unauthenticated password-change endpoint (/account/change_password) that lacked the same brute-force protections as the login form. An attacker who can guess or enumerate user IDs can send unlimited password-...
CVE-2026-22600 OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder
OpenProject is an open-source, web-based project management software. A Local File Read LFR vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file disguised as a PNG as a work package attachment, an...
OpenProject 信息泄露漏洞
OpenProject is OpenProject open source a Web-based project management software. OpenProject 16.6.4 before the version of the information leakage vulnerability , the vulnerability stems from the work package PDF export function there is a local file reading vulnerability , an attacker can upload a...
CVE-2024-41801
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProje...
EUVD-2017-3279
Malware in sbrugna...
EUVD-2024-39190
Malicious code in bioql PyPI...
CVE-2024-35224
OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...
CVE-2023-33960 OpenProject vulnerable to project identifier information leakage through robots.txt
OpenProject is web-based project management software. For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to...