CVE-2026-52785
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
OpenProject before versions 17.3.3 and 17.4.1 contains a SQL injection vulnerability in the timestamps functionality. Attackers can exploit the timestamps parameter to execute unauthorized database queries.
Risk Assessment
The risk includes potential leakage of sensitive project data, modification or deletion of database records, and privilege escalation within the system.
Recommendation
Immediately update OpenProject to version 17.3.3 or 17.4.1, which contain the fix for this vulnerability.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fixed in 17.3.3 and 17.4.1.

