Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Arbitrary File Read via ImageMagick SVG CoderGHSA-m8f2-cwpq-vvhh published
Jan 9, 2026 by oliverguentherCritical -
Insecure Direct Object Reference in MeetingsGHSA-fq4m-pxvm-8x2j published
Jan 9, 2026 by oliverguentherModerate -
No protection against brute-force attacks in the Change Password functionGHSA-93x5-prx9-x239 published
Jan 9, 2026 by oliverguentherModerate -
User enumeration via the change password functionGHSA-q7qp-p3vw-j2fh published
Jan 9, 2026 by oliverguentherModerate -
User Enumeration via User IDGHSA-7fvx-9h6h-g82j published
Jan 9, 2026 by oliverguentherLow -
Code Execution in E-Mail functionGHSA-9vrv-7h26-c7jc published
Jan 9, 2026 by oliverguentherHigh -
Stored HTML injectionGHSA-mg4q-ghvh-cm2j published
Feb 10, 2025 by oliverguentherLow -
Open Redirect Vulnerability in Sign-In in default configuration of OpenProject packaged installationGHSA-g92v-vrq6-4fpw published
Jul 25, 2024 by oliverguentherModerate -
Stored XSS in Cost Report TablesGHSA-h26c-j8wg-frjc published
May 22, 2024 by klaustopherHigh -
Project identifier information leakage through robots.txtGHSA-xjfc-fqm3-95q8 published
Jun 1, 2023 by oliverguentherHigh
Learn more about advisories related to opf/openproject in the GitHub Advisory Database