openproject

Top products

The 15 most recently published vulnerabilities affecting openproject.

• CVE-2026-40896OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup6.5Apr 20, 2026
• CVE-2026-33667OpenProject: 2FA OTP Verification Missing Rate Limiting7.4Apr 15, 2026
• CVE-2026-34717OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string9.9Apr 2, 2026
• CVE-2026-32703OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy9.0Mar 18, 2026
• CVE-2026-32698OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution9.1Mar 18, 2026
• CVE-2026-31974Blind SSRF on OpenProject instance via webhooks3.0Mar 11, 2026
• CVE-2026-30239OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets6.5Mar 11, 2026
• CVE-2026-30236OpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate4.3Mar 11, 2026
• CVE-2026-30235Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering6.5Mar 11, 2026
• CVE-2026-30234OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR)6.5Mar 11, 2026
• CVE-2026-24777OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts6.7Feb 9, 2026
• CVE-2026-25763Command Injection on OpenProject repositories leads to Remote Code Execution9.9Feb 6, 2026
• CVE-2026-25764OpenProject vulnerable to Stored HTML injection3.5Feb 6, 2026
• CVE-2026-24776OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer4.3Feb 6, 2026
• CVE-2026-24775OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension6.3Jan 28, 2026