Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
HTML injection on wiki updated mailerGHSA-jrhg-mx22-57rm published
Feb 18, 2026 by oliverguentherLow -
Users allowed to edit hourly rates in one project could delete hourly rates for all projectsGHSA-xh2h-jfr6-3qhc published
Feb 18, 2026 by oliverguentherModerate -
Several Insecure Direct Object Reference errors in the meetings moduleGHSA-8fq7-cmmf-2793 published
Feb 11, 2026 by oliverguentherModerate -
CSRF via Unsafe GET Request Allows Deletion of Work PackagesGHSA-727f-w7gp-pw84 published
Feb 11, 2026 by oliverguentherHigh -
Command Injection on OpenProject repositories leads to Remote Code ExecutionGHSA-x37c-hcg5-r5m7 published
Feb 6, 2026 by oliverguentherCritical -
Stored HTML injection in time tracking module of OpenProjectGHSA-q523-c695-h3hp published
Feb 6, 2026 by oliverguentherLow -
Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor ExtensionGHSA-35c6-x276-2pvc published
Jan 28, 2026 by oliverguentherModerate -
IDOR on MeetingAgendaItems allows cross-project meeting agenda item transferGHSA-p9v8-w9ph-hqmf published
Feb 5, 2026 by oliverguentherModerate -
Argument Injection on Repository Diff allows Arbitrary File Write and Remote Code ExecutionGHSA-74p5-9pr3-r6pw published
Jan 28, 2026 by oliverguentherCritical -
SSRF and CSWSH in Hocuspocus Synchronization ServerGHSA-r854-p5qj-x974 published
Jan 28, 2026 by oliverguentherHigh
Learn more about advisories related to opf/openproject in the GitHub Advisory Database