Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Path Traversal via Incoming Email Attachments Leads to Arbitrary File Write and RCEGHSA-r85w-rv9m-q784 published
Feb 18, 2026 by oliverguentherCritical -
Path Traversal on OpenProject BIM Edition leads to Arbitrary File upload on BCF module, resulting in possible RCE when using file-based cachingGHSA-4fvm-rrc8-mgch published
Feb 18, 2026 by oliverguentherCritical -
HTML Injection via Email Field in User Registration Leading to Malicious Notification Email to Instance Owner (Admin)GHSA-6m5j-mp2j-cgmm published
Feb 18, 2026 by oliverguentherModerate -
Improper Access Control on OpenProject through /api/v3/queries via POST request allows unauthorized users to create project queriesGHSA-5m66-2gm7-6jcc published
Feb 18, 2026 by oliverguentherModerate -
Improper Access Control on OpenProject instance through /api/v3/capabilitiesGHSA-g62r-9rgf-h53q published
Feb 18, 2026 by oliverguentherModerate -
HTML Injection on OpenProject instance through project nameGHSA-r4v5-h2fp-fhxf published
Feb 18, 2026 by oliverguentherLow -
HTML injection on wiki updated mailerGHSA-jrhg-mx22-57rm published
Feb 18, 2026 by oliverguentherLow -
Users allowed to edit hourly rates in one project could delete hourly rates for all projectsGHSA-xh2h-jfr6-3qhc published
Feb 18, 2026 by oliverguentherModerate -
Several Insecure Direct Object Reference errors in the meetings moduleGHSA-8fq7-cmmf-2793 published
Feb 11, 2026 by oliverguentherModerate -
CSRF via Unsafe GET Request Allows Deletion of Work PackagesGHSA-727f-w7gp-pw84 published
Feb 11, 2026 by oliverguentherHigh
Learn more about advisories related to opf/openproject in the GitHub Advisory Database