Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

opf — Vulnerabilities & Security Advisories 34

Browse all 34 CVE security advisories affecting opf. AI-powered Chinese analysis, POCs, and references for each vulnerability.

opf is a software platform primarily utilized for managing and optimizing operational workflows, often serving as a critical infrastructure component in enterprise environments. With thirty-four recorded Common Vulnerabilities and Exposures (CVEs), the system has historically exhibited significant security weaknesses. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, allowing attackers to gain unauthorized access or disrupt service integrity. Notable incidents highlight the severity of these defects, particularly where insufficient input validation led to arbitrary command execution. The accumulation of these CVEs suggests persistent challenges in the development lifecycle regarding secure coding practices and rigorous testing protocols. Organizations relying on opf must prioritize immediate patching and continuous monitoring to mitigate the risk of exploitation, given the platform’s exposure to high-impact attack vectors that compromise both data confidentiality and system availability.

Top products by opf: openproject
CVE IDTitleCVSSSeverityPublished
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup — openprojectCWE-367 6.5 Medium2026-04-20
CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting — openprojectCWE-307 7.4 High2026-04-15
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string — openprojectCWE-89 9.9 Critical2026-04-02
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy — openprojectCWE-79 9.1 Critical2026-03-18
CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution — openprojectCWE-89 9.1 Critical2026-03-18
CVE-2026-31974 Blind SSRF on OpenProject instance via webhooks — openprojectCWE-918 3.0 Low2026-03-11
CVE-2026-30239 OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets — openprojectCWE-863 6.5 Medium2026-03-11
CVE-2026-30236 OpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate — openprojectCWE-863 4.3 Medium2026-03-11
CVE-2026-30235 Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering — openprojectCWE-79 6.5 Medium2026-03-11
CVE-2026-30234 OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Read (AFR) — openprojectCWE-22 6.5 Medium2026-03-11
CVE-2026-27723 OpenProject: Insufficient access control leads to create Wiki objects belongs unpermitted projects — openprojectCWE-284 4.3 Medium2026-03-05
CVE-2026-24777 OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts — openprojectCWE-862 6.7 Medium2026-02-09
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution — openprojectCWE-78 6.5AIMediumAI2026-02-06
CVE-2026-25764 OpenProject vulnerable to Stored HTML injection — openprojectCWE-80 3.5 Low2026-02-06
CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer — openprojectCWE-639 4.3 Medium2026-02-06
CVE-2026-24775 OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension — openprojectCWE-345 6.3 Medium2026-01-28
CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server — openprojectCWE-345 8.9 High2026-01-28
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write — openprojectCWE-77 7.5AIHighAI2026-01-28
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships — openprojectCWE-862 4.3 Medium2026-01-19
CVE-2026-23646 OpenProject users can delete other user's session, causing them to be logged out — openprojectCWE-488 6.5 Medium2026-01-19
CVE-2026-23625 OpenProject has stored XSS regression using attachments and script-src self — openprojectCWE-79 8.7 High2026-01-19
CVE-2026-22605 OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings — openprojectCWE-284 4.3 Medium2026-01-10
CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function — openprojectCWE-200 5.3 -2026-01-10
CVE-2026-22603 OpenProject has no protection against brute-force attacks in the Change Password function — openprojectCWE-307 9.8 -2026-01-10
CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID — openprojectCWE-200 3.5 Low2026-01-10
CVE-2026-22601 OpenProject is Vulnerable to Code Execution in E-Mail function — openprojectCWE-77 7.2 -2026-01-10
CVE-2026-22600 OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder — openprojectCWE-200 9.1 Critical2026-01-10
CVE-2025-24892 OpenProject stored HTML injection vulnerability — openprojectCWE-79 3.5 Low2025-02-10
CVE-2024-41801 OpenProject packaged installation has Open Redirect Vulnerability in Sign-In in default configuration — openprojectCWE-601 4.7 Medium2024-07-25
CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject — openprojectCWE-80 7.6 High2024-05-23

This page lists every published CVE security advisory associated with opf. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.