In Kanboard versions prior to 1.2.51 a high severity vulnerability CVE-2026-33058 was detected. This vulnerability allows attackers with permission to add users to a project to perform SQL injection and dump the entire Kanboard database. To address this issue, users should upgrade Kanboard to version 1.2.51. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33058.
Read more Project ManagementIn Kimai versions prior to 2.51.0 a medium severity vulnerability CVE-2026-28685 was detected. This vulnerability allows attackers with ROLE_TEAMLEAD to access invoices belonging to customers they should not have permission to view due to missing customer-level access control in the API. To address this issue, users should upgrade Kimai to version 2.51.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28685.
Read more Project ManagementIn Foreman versions 1.22.0 and higher a high severity vulnerability CVE-2025-9572 was detected. This vulnerability allows low-privileged users to bypass access controls in the GraphQL API, enabling them to access metadata beyond their assigned permissions and potentially leading to unauthorized information disclosure. To address this issue, users should upgrade Foreman to versions 3.16.2 or 3.17.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9572.
Read more IT Business ManagementIn Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-25531 was identified. This vulnerability allows an authenticated user to duplicate tasks into projects they do not have access to because the TaskCreationController::duplicateProjects() endpoint does not properly validate user permissions for target projects. To address this issue, users should upgrade Kanboard to version 1.2.50. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25531.
Read more Project ManagementIn Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-25530 was detected. This vulnerability allows authenticated attackers to access swimlane data from projects they are not authorized to view due to a missing project-level authorization check in the `getSwimlane` API method. To address this issue, users should upgrade Kanboard to version 1.2.50 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25530.
Read more Project ManagementIn Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-24885 was detected. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) against the `changeUserRole` action in the `ProjectPermissionController` due to improper enforcement of the `application/json` Content-Type, potentially enabling unauthorized modification of project user roles if an authenticated administrator visits a malicious site. To address this issue, users should upgrade Kanboard to version 1.2.50 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24885.
Read more Project ManagementIn Kimai versions prior to 2.46.0 a medium severity vulnerability CVE-2026-23626 was detected. This vulnerability allows authenticated attackers with export permissions to execute arbitrary method calls in malicious Twig templates, enabling the extraction of sensitive information such as environment variables, user password hashes, session tokens, and CSRF tokens. To address this issue, users should upgrade Kimai to version 2.46.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23626.
Read more Project Management Newsflash Project and Agile ManagementIn OpenProject versions prior to 16.6.2 a medium severity vulnerability CVE-2026-22603 was detected. This vulnerability allows attackers to perform unlimited password-guessing attacks against user accounts by abusing an unauthenticated password-change endpoint that lacks brute-force protection, potentially leading to full account compromise and further privilege escalation. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22603.
Read more Project ManagementIn OpenProject versions from 11.2.1 to before 16.6.2 a medium severity vulnerability CVE-2026-22604 was detected. This vulnerability allows attackers to enumerate valid usernames by sending unauthenticated POST requests to the /account/change_password endpoint with arbitrary user IDs, which causes the application to disclose usernames in error responses. To address this issue, users should upgrade OpenProject to version 16.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22604.
Read more Project Management