Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-14
CVE-2026-22604 - Openproject Plugin
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2.
PLUGIN
Openproject
CVE-2026-22604
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22603 - Openproject Plugin
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject’s unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user’s role,…
PLUGIN
Openproject
CVE-2026-22603
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22605 - Openproject Plugin
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3.
PLUGIN
Openproject
CVE-2026-22605
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22602 - Openproject Plugin
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may…
PLUGIN
Openproject
CVE-2026-22602
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22600 - Openproject Plugin
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to…
PLUGIN
Openproject
CVE-2026-22600
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22601 - Openproject Plugin
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
PLUGIN
Openproject
CVE-2026-22601
Risk Score