Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of ResourcesGHSA-mqvv-5mvc-7pg7 published
May 13, 2026 by oliverguentherModerate -
Content Security Policy img-src wildcard enables cross-origin pixel tracking and information leakageGHSA-m5p8-h274-f7w8 published
Jun 10, 2026 by oliverguentherLow -
Cross-Project Meeting Agenda Item Injection via Unscoped Section LookupGHSA-hh5p-gwf8-h245 published
Apr 15, 2026 by oliverguentherModerate -
Reminders Leak Work Package Data After Access RevocationGHSA-qr54-686p-j34x published
Apr 15, 2026 by oliverguentherModerate -
Shares API Information DisclosureGHSA-cfg3-f34w-9xx5 published
May 13, 2026 by oliverguentherModerate -
Title: Server-Side Request Forgery (SSRF) in SAML Metadata FetchGHSA-mq29-cmv3-rcmr published
Jun 10, 2026 by oliverguentherModerate -
Server-Side Request Forgery (SSRF) in Jira Attachment ImportGHSA-x2wp-9w6m-f39m published
Jul 1, 2026 by oliverguentherModerate -
SQL Injection in Cost Reporting =n Operator via parse_number_stringGHSA-5rrm-6qmq-2364 published
Mar 31, 2026 by oliverguentherCritical -
Repository files are served with the MIME type allowing them to be used to bypass Content Security PolicyGHSA-p423-72h4-fjvp published
Mar 16, 2026 by oliverguentherCritical -
SQL Injection via Custom Field Name can be chained to Remote Code ExecutionGHSA-jqhf-rf9x-9rhx published
Mar 16, 2026 by oliverguentherCritical
Learn more about advisories related to opf/openproject in the GitHub Advisory Database