Vulnerabilities in opf
34 resultsCVE-2026-25764LOWOpenProject vulnerable to Stored HTML injectionEPSS 0.2%CVE-2026-22603MEDIUMOpenProject has no protection against brute-force attacks in the Change Password functionEPSS 0.2%CVE-2026-27723MEDIUMOpenProject: Insufficient access control leads to create Wiki objects belongs unpermitted projectsEPSS 0.2%CVE-2026-23625HIGHOpenProject has stored XSS regression using attachments and script-src selfEPSS 0.2%CVE-2026-22605MEDIUMOpenProject is Vulnerable to Insecure Direct Object Reference in MeetingsEPSS 0.2%CVE-2026-24776MEDIUMOpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transferEPSS 0.2%CVE-2026-30239MEDIUMOpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgetsEPSS 0.2%CVE-2026-32703CRITICALOpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security PolicyEPSS 0.2%CVE-2026-23721MEDIUMOpenProject users with "View Members" permission in any project can view all Group membershipsEPSS 0.2%CVE-2026-30236MEDIUMOpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rateEPSS 0.2%CVE-2026-40896MEDIUMOpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section LookupEPSS 0.2%CVE-2026-24772HIGHOpenProject has SSRF and CSWSH in Hocuspocus Synchronization ServerEPSS 0.2%CVE-2026-31974LOWBlind SSRF on OpenProject instance via webhooksEPSS 0.2%CVE-2026-24775MEDIUMOpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor ExtensionEPSS 0.1%