cbcvebase.

Opf Openproject vulnerabilities

51 known vulnerabilities affecting opf/openproject.

Total CVEs
51
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH13MEDIUM29LOW2

Vulnerabilities

Page 3 of 3
CVE-2026-31974P4MEDIUMCVSS 4.3fixed in 17.2.02026-03-11
CVE-2026-31974 [MEDIUM] CWE-918 CVE-2026-31974: OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject S OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with acces
nvd
CVE-2026-23625P4MEDIUMCVSS 5.4v>= 16.3.0, < 16.6.52026-01-19
CVE-2026-23625 [MEDIUM] CWE-79 CVE-2026-23625: OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject),
nvd
CVE-2026-44732P4MEDIUMCVSS 4.3fixed in 17.3.22026-06-26
CVE-2026-44732 [MEDIUM] CWE-639 CVE-2026-44732: OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenP OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization
nvd
CVE-2026-24776P4MEDIUMCVSS 4.3fixed in 17.0.22026-02-06
CVE-2026-24776 [MEDIUM] CWE-639 CVE-2026-24776: OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a
nvd
CVE-2026-22605P4MEDIUMCVSS 4.3fixed in 16.6.32026-01-10
CVE-2026-22605 [MEDIUM] CWE-284 CVE-2026-22605: OpenProject is an open-source, web-based project management software. OpenProject versions prior to OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3.
nvd
CVE-2026-49355P4MEDIUMCVSS 4.3fixed in 17.4.02026-06-26
CVE-2026-49355 [MEDIUM] CWE-200 CVE-2026-49355: OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/mee OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
nvd
CVE-2026-44731P4MEDIUMCVSS 4.3fixed in 17.3.22026-06-26
CVE-2026-44731 [MEDIUM] CWE-639 CVE-2026-44731: OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the w OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the
nvd
CVE-2026-30236P4MEDIUMCVSS 4.3fixed in 17.2.02026-03-11
CVE-2026-30236 [MEDIUM] CWE-863 CVE-2026-30236: OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up) to users that should only see that information for proj
nvd
CVE-2026-23721P4MEDIUMCVSS 4.3fixed in 16.6.5v= 17.0.02026-01-19
CVE-2026-23721 [MEDIUM] CWE-862 CVE-2026-23721: OpenProject is an open-source, web-based project management software. When using groups in OpenProje OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the Vie
nvd
CVE-2026-22602P4LOWCVSS 3.5fixed in 16.6.22026-01-10
CVE-2026-22602 [LOW] CWE-200 CVE-2026-22602: OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same beha
nvd
CVE-2026-25764P4LOWCVSS 3.5fixed in 16.6.7fixed in 17.0.32026-02-06
CVE-2026-25764 [LOW] CWE-80 CVE-2026-25764: OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 1 OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to
nvd
Opf Openproject vulnerabilities | cvebase