Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
IDOR on OpenProject through /meetings/{meeting_id}/agenda_items/{id}/move_to_section via POST requestGHSA-xw8w-4qxm-g9gv published
Feb 26, 2026 by klaustopherModerate -
Stored HTML Injection via MentionFilter Bypass Leads to Credential Harvesting in Email NotificationsGHSA-cxm3-9m5g-9cq4 published
Feb 26, 2026 by klaustopherLow -
User mentions result in information disclosure of user namesGHSA-j4m9-7hff-8qgr published
Feb 26, 2026 by klaustopherModerate -
Authorization flaw in API grids endpoint leads to erase another user widgetGHSA-7xv7-73x4-qqvp published
Feb 26, 2026 by klaustopherModerate -
Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCEGHSA-r85w-rv9m-q784 published
Feb 18, 2026 by oliverguentherCritical -
Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based cachingGHSA-4fvm-rrc8-mgch published
Feb 18, 2026 by oliverguentherCritical -
HTML Injection via Email Field in User Registration Leading to Malicious Notification Email to Instance Owner (Admin)GHSA-6m5j-mp2j-cgmm published
Feb 18, 2026 by oliverguentherModerate -
Improper Access Control on OpenProject through /api/v3/queries via POST request allows unauthorized users to create project queriesGHSA-5m66-2gm7-6jcc published
Feb 18, 2026 by oliverguentherModerate -
Improper Access Control on OpenProject instance through /api/v3/capabilitiesGHSA-g62r-9rgf-h53q published
Feb 18, 2026 by oliverguentherModerate -
HTML Injection on OpenProject instance through project nameGHSA-r4v5-h2fp-fhxf published
Feb 18, 2026 by oliverguentherLow
Learn more about advisories related to opf/openproject in the GitHub Advisory Database