In OpenProject versions prior to 16.6.3 a medium severity vulnerability CVE-2026-22605 was detected. This vulnerability allows users with the View Meetings permission on any project to access meeting details belonging to projects they do not have permission to view. To address this issue, users should upgrade OpenProject to version 16.6.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22605.
Read more Project ManagementIn OpenProject versions 16.6.1 and below a high severity vulnerability CVE-2026-22601 was detected. This vulnerability allows a registered administrator to execute arbitrary commands by configuring the sendmail binary path and sending a test email. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22601.
Read more Project ManagementIn OpenProject versions 16.6.1 and below a low severity vulnerability CVE-2026-22602 was detected. This vulnerability allows a low‑privileged logged-in user to enumerate and view the full names of other users due to predictable sequential user IDs, both via the web interface and the API. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22602.
Read more Project ManagementIn OpenProject versions prior to 16.6.4 a critical severity vulnerability CVE-2026-22600 was detected. This vulnerability allows authenticated attackers with permission to upload attachments to exploit the work package PDF export functionality to read arbitrary local files by uploading a specially crafted SVG file disguised as a PNG, which abuses ImageMagick image processing during PDF generation. To address this issue, users should upgrade OpenProject to version 16.6.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22600.
Read more Project ManagementIn Kimai version 1.30.10 a critical severity vulnerability CVE-2023-53957 was detected. This vulnerability allows attackers to exploit improper SameSite cookie handling to steal user session cookies, potentially leading to session hijacking. An attacker can trick a victim into executing a crafted PHP script that captures and writes session cookie data, enabling unauthorized access to the user’s account. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-53957.
Read more Project ManagementIn Combodo iTop versions prior to 2.7.13 and 3.2.2 a high severity vulnerability CVE-2025-47932 was detected. This vulnerability allows cross-site scripting (XSS) attacks when a dashboard is rendered via an AJAX call, due to unsanitized input. To fix this vulnerability, users should upgrade to iTop versions 2.7.13 or 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47932.
Read more IT Business ManagementIn Combodo iTop versions prior to 2.7.13 and 3.2.2 a high severity vulnerability CVE-2025-47773 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) when a dashboard is edited via an AJAX call. To fix this vulnerability, users should upgrade to iTop versions 2.7.13 or 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47773.
Read more IT Business ManagementIn Combodo iTop versions prior to 2.7.13 and 3.2.2 a high severity vulnerability CVE-2025-47286 was detected. This vulnerability allows an administrator to execute arbitrary code on the server by editing the configuration of the iTop instance in the backup creation functionality. To fix this vulnerability, users should upgrade to iTop versions 2.7.13 or 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47286.
Read more IT Business ManagementIn Combodo iTop versions prior to 2.7.13 and 3.2.2 a high severity vulnerability CVE-2025-64167 was detected. This vulnerability allows remote attackers to execute arbitrary JavaScript code when a user edits the URL parameter due to improper input sanitization. To fix this vulnerability, users should upgrade to iTop version 2.7.13, 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64167.
Read more IT Business Management