Home/Product/openproject
Product

openproject

37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-40896
< 17.3.0
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage_agendas permissio
6.5MEDIUM
 CVE-2026-33667
< 17.3.0
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp
7.4HIGH
 CVE-2026-34717
< 17.2.3
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reportin
9.9CRITICAL
 CVE-2026-32703
< 16.6.9
OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the
9.0CRITICAL
 CVE-2026-32698
< 16.6.9
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vul
9.1CRITICAL
 CVE-2026-31974
< 17.2.0
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin
3.0LOW
 CVE-2026-30239
< 17.2.0
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages
6.5MEDIUM
 CVE-2026-30236
< 17.2.0
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning
4.3MEDIUM
 CVE-2026-30235
< 17.2.0
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper v
6.5MEDIUM
 CVE-2026-30234
< 17.2.0
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, an authenticated project member with BCF im
6.5MEDIUM
 CVE-2026-27723
< 17.0.5
OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create
4.3MEDIUM
 CVE-2026-24777
< 17.0.2
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can
6.7MEDIUM
 CVE-2026-25764
< 16.6.7
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulne
3.5LOW
 CVE-2026-25763
< 16.6.7
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write
9.9CRITICAL
 CVE-2026-24776
< 17.0.2
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item
4.3MEDIUM
 CVE-2026-24775
>= 17.0.0 and < 17.0.2
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on Block
6.3MEDIUM
 CVE-2026-24772
>= 17.0.0 and < 17.0.2
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProj
8.9HIGH
 CVE-2026-24685
< 16.6.6
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file w
8.8HIGH
 CVE-2026-23721
< 16.6.5
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group
4.3MEDIUM
 CVE-2026-23646
< 16.6.5
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 hav
6.5MEDIUM
 CVE-2026-23625
> 16.3.0 and < 16.6.5
OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cros
8.7HIGH
 CVE-2026-22605
< 16.6.3
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users
4.3MEDIUM
 CVE-2026-22604
>= 11.2.1 and < 16.6.2
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when
5.3MEDIUM
 CVE-2026-22603
< 16.6.2
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated pas
6.5MEDIUM
 CVE-2026-22602
< 16.6.2
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user c
3.5LOW
 CVE-2026-22601
< 16.6.2
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered admin
7.2HIGH
 CVE-2026-22600
< 16.6.4
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work pac
9.1CRITICAL
 CVE-2025-24892
< 15.2.1
OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly
3.5LOW
 CVE-2024-41801
< 14.3.0
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configu
4.7MEDIUM
 CVE-2024-35224
< 13.4.2
OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report f
7.6HIGH
 CVE-2023-33960
< 12.5.6
OpenProject is web-based project management software. For any OpenProject installation, a robots.txt file is generated through t
7.5HIGH
 CVE-2023-31140
>= 7.4.0 and < 12.5.4
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user regis
4.8MEDIUM
 CVE-2021-43830
>= 12.0.0 and < 12.0.4
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the bu
7.4HIGH
 CVE-2021-32763
< 11.3.3
OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the MessagesController class of
4.3MEDIUM
 CVE-2019-17092
< 9.0.4
An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrar
6.1MEDIUM
 CVE-2019-11600
>= 5.0.0 and < 8.3.2
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL
8.1HIGH
 CVE-2017-11667
<= 6.1.5
OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests i
8.1HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin