Please find our statement on security in this document: https://www.openproject.org/docs/security-and-privacy/statement-on-security/
Security: opf/openproject
Security
SECURITY.md
-
Shares API Information DisclosureGHSA-cfg3-f34w-9xx5 published
May 13, 2026 by oliverguentherModerate -
Title: Server-Side Request Forgery (SSRF) in SAML Metadata FetchGHSA-mq29-cmv3-rcmr published
Jun 10, 2026 by oliverguentherModerate -
Server-Side Request Forgery (SSRF) in Jira Attachment ImportGHSA-x2wp-9w6m-f39m published
Jul 1, 2026 by oliverguentherModerate -
SQL Injection in Cost Reporting =n Operator via parse_number_stringGHSA-5rrm-6qmq-2364 published
Mar 31, 2026 by oliverguentherCritical -
Repository files are served with the MIME type allowing them to be used to bypass Content Security PolicyGHSA-p423-72h4-fjvp published
Mar 16, 2026 by oliverguentherCritical -
SQL Injection via Custom Field Name can be chained to Remote Code ExecutionGHSA-jqhf-rf9x-9rhx published
Mar 16, 2026 by oliverguentherCritical -
SSRF via Multiple Admin Features — Inconsistent SsrfProtection Usage (CWE-918)GHSA-p692-v488-c3hq published
Jul 1, 2026 by oliverguentherModerate -
2FA OTP Verification Missing Rate Limiting (CWE-307)GHSA-234r-45m2-w6cv published
Apr 15, 2026 by oliverguentherHigh -
Blind SSRF on OpenProject instance via webhooks, and through /admin/test_email via POST request leads to internal network reconnaissanceGHSA-9wr7-j98g-2jh3 published
Mar 11, 2026 by machisujiLow -
Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package SubjectsGHSA-p9gq-hrgh-2645 published
May 13, 2026 by oliverguentherModerate
Learn more about advisories related to opf/openproject in the GitHub Advisory Database