CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-52782
Critical

In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability exists in the endpoint /projects/<A>/settings/project_storages/<A_ps_id> via the PATCH parameter "storages_project_storage[project_folder_id]". A project administrator can hijack the managed Nextcloud or OneDrive folder of another project on the same storage, leading to unauthorized resource access.

CVE-2026-52781
Medium

OpenProject before versions 17.3.3 and 17.4.1 has a vulnerability due to unrestricted data-* attributes in <macro> elements in the HTML sanitizer. An attacker can inject data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to renderStreamMessage(), executing arbitrary Turbo Stream actions including redirect_to to an attacker-controlled server.

CVE-2026-52780
Critical

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE).

CVE-2026-52779
Medium

In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public queries from another project where they lack such permissions.

CVE-2026-49991
High

In RustFS 1.0.0-beta.4, authenticated users with PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: no ../ sanitization in tar entry key normalization, IAM wildcard matching using raw (uncleaned) paths, and filesystem path cleaning resolving ../ across bucket boundaries.

CVE-2026-49355
Medium

A vulnerability in OpenProject prior to version 17.4.0 allows disclosure of private work package data from a linked work package belonging to an inaccessible project via a GET request to the API endpoint.

CVE-2026-47193
High

A vulnerability in OpenProject before versions 17.3.3 and 17.4.1 allows the journal diff endpoint to disclose hidden historical field values without enforcing object and field visibility.

CVE-2026-46386
Critical

The official openproject/openproject Docker image ships with a default SECRET_KEY_BASE=OVERWRITE_ME, which combined with cookies_serializer = :marshal allows any logged-in user a deterministic Marshal-deserialization path via the /my/two_factor_devices cookie reader. This vulnerability is fixed in a later version.

CVE-2026-44736
Medium

A vulnerability in OpenProject before version 17.4.0 allows an authenticated user to retrieve relations and the subject (title) of work packages they have no permission to view via the GET /api/v3/relations endpoint. The issue stems from a flawed performance optimization in RelationQuery that bypasses the Relation.visible scope.

CVE-2026-44735
Medium

In OpenProject prior to versions 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for all work packages in a project to any user with the view_shared_work_packages permission. Authorization is performed only at the project level, without verifying that the requesting user can actually view each individual shared work package.

CVE-2026-44734
Medium

In OpenProject prior to versions 17.3.2 and 17.4.0, a missing authorization vulnerability exists in the CostReportsController. An authenticated attacker can rename, modify filters, and change grouping of any public cost report by knowing its numeric ID, without needing owner permissions.

CVE-2026-44733
Medium

In OpenProject prior to versions 17.3.2 and 17.4.0, a business logic error in the password change mechanism allows bypassing password strength requirements via a PATCH request to /api/v3/users/me. An attacker with an active session takeover can change a user's password to a weak one.

CVE-2026-44732
Medium

OpenProject before versions 17.3.2 and 17.4.0 has a vulnerability in the document update endpoint. Attacker-controlled attributes are applied before authorization, allowing a user without :manage_documents permissions to move and modify documents from other projects.

CVE-2026-44731
Medium

In OpenProject prior to versions 17.3.2 and 17.4.0, the meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name. This allows an attacker to enumerate all existing user accounts by probing user IDs and observing differences in server responses.

CVE-2026-44696
Medium

OpenProject before version 17.4.0 uses Sanitize::Config::RELAXED[:css] for inline style sanitization in Markdown rendering. This allows authenticated users with write access to inject arbitrary CSS properties in text fields (e.g., work package descriptions, comments).

CVE-2026-32833
HighEPSS 68%

Cudy LT300 running firmware prior to version 2.5.12 contains an OS command injection vulnerability. An authenticated attacker can inject shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface, leading to remote code execution.

CVE-2026-29509
Medium

A path traversal vulnerability in Patool before version 4.0.5 in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12 allows attackers to write arbitrary files by supplying a malicious archive with specially crafted member paths.

CVE-2026-54753
MediumEPSS 52%

A vulnerability in Nx (versions 17.0.4 through 22.7.2 and 23.0.0-beta.2) occurs because the local HTTP server started by `nx graph` sets the `Access-Control-Allow-Origin: *` header on every response. This allows any website visited by a developer to read the server's responses cross-origin, including the full project graph and the output of the `/help` endpoint, which runs a target's configured help command.

CVE-2026-48090
Medium

In Envoy from version 1.37.0 to 1.37.5 and 1.38.3, the HTTP OAuth2 filter can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can invoke OAuth2Filter methods on a freed object, causing undefined behavior, worker crashes (availability loss), and use-after-free/invalid-vptr failures. This vulnerability is fixed in 1.37.5 and 1.38.3.

CVE-2026-47220
High

A vulnerability in Envoy allows a crash when using the %REQUESTED_SERVER_NAME(X:Y)% log format with host-related options if the host header is missing in the request. Affected versions are from 1.37.0 to 1.37.5 and 1.38.3.

PreviousPage 160 of 4564Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS