In OpenProject versions prior to 16.6.2 a medium severity vulnerability CVE-2026-22603 was detected. This vulnerability allows attackers to perform unlimited password-guessing attacks against user accounts by abusing an unauthenticated password-change endpoint that lacks brute-force protection, potentially leading to full account compromise and further privilege escalation. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22603.
Read more Project Management
In OpenProject versions from 11.2.1 to before 16.6.2 a medium severity vulnerability CVE-2026-22604 was detected. This vulnerability allows attackers to enumerate valid usernames by sending unauthenticated POST requests to the /account/change_password endpoint with arbitrary user IDs, which causes the application to disclose usernames in error responses. To address this issue, users should upgrade OpenProject to version 16.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22604.
Read more Project Management
In OpenProject versions prior to 16.6.3 a medium severity vulnerability CVE-2026-22605 was detected. This vulnerability allows users with the View Meetings permission on any project to access meeting details belonging to projects they do not have permission to view. To address this issue, users should upgrade OpenProject to version 16.6.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22605.
Read more Project Management
In OpenProject versions prior to 16.6.2 a medium severity vulnerability CVE-2026-22603 was detected. This vulnerability allows attackers to perform unlimited password-guessing attacks against user accounts by abusing an unauthenticated password-change endpoint that lacks brute-force protection, potentially leading to full account compromise and further privilege escalation. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22603.
Read more CMS Newsflash
In Ghost versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3 a medium severity vulnerability CVE-2026-22596 was detected. This vulnerability allows attackers with valid Ghost Admin API authentication credentials to execute arbitrary SQL commands via the /ghost/api/admin/members/events endpoint, potentially leading to data disclosure, modification, or full database compromise. To address this issue, users should upgrade Ghost to versions 5.130.6 or 6.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22596.
Read more CMS Newsflash
In OpenProject versions 16.6.1 and below a low severity vulnerability CVE-2026-22602 was detected. This vulnerability allows a low‑privileged logged-in user to enumerate and view the full names of other users due to predictable sequential user IDs, both via the web interface and the API. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22602.
Read more Project Management
In GitLab CE/EE versions from 15.10 before 18.3.6, 18.4 before 18.4.4 and 18.5 before 18.5.2 a high severity vulnerability CVE-2025-11224 was detected. This vulnerability allows an authenticated attacker to perform stored cross-site scripting attacks due to improper input validation in the Kubernetes proxy functionality, potentially executing malicious scripts in the context of other users’ browsers. To address this issue, users should upgrade GitLab to versions 18.3.6, 18.4.4, 18.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11224.
Read more Newsflash Developer Tools
In Nexus Repository 3 versions 3.82.0 through 3.87.1 a medium severity vulnerability CVE-2026-0601 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser via a specially crafted request that requires user interaction, leading to reflected cross-site scripting attacks. To address this issue, users should upgrade Nexus Repository 3 to version 3.88.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0601.
Read more Newsflash Developer Tools
In OpenProject versions prior to 16.6.4 a critical severity vulnerability CVE-2026-22600 was detected. This vulnerability allows authenticated attackers with permission to upload attachments to exploit the work package PDF export functionality to read arbitrary local files by uploading a specially crafted SVG file disguised as a PNG, which abuses ImageMagick image processing during PDF generation. To address this issue, users should upgrade OpenProject to version 16.6.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22600.
Read more Project Management