Project Management

In OpenProject versions from 11.2.1 to before 16.6.2 a medium severity vulnerability CVE-2026-22604 was detected. This vulnerability allows attackers to enumerate valid usernames by sending unauthenticated POST requests to the /account/change_password endpoint with arbitrary user IDs, which causes the application to disclose usernames in error responses. To address this issue, users should upgrade OpenProject to version 16.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22604.

In OpenProject versions prior to 16.6.3 a medium severity vulnerability CVE-2026-22605 was detected. This vulnerability allows users with the View Meetings permission on any project to access meeting details belonging to projects they do not have permission to view. To address this issue, users should upgrade OpenProject to version 16.6.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22605.

In OpenProject versions prior to 16.6.4 a critical severity vulnerability CVE-2026-22600 was detected. This vulnerability allows authenticated attackers with permission to upload attachments to exploit the work package PDF export functionality to read arbitrary local files by uploading a specially crafted SVG file disguised as a PNG, which abuses ImageMagick image processing during PDF generation. To address this issue, users should upgrade OpenProject to version 16.6.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22600.

In OpenProject versions 16.6.1 and below a high severity vulnerability CVE-2026-22601 was detected. This vulnerability allows a registered administrator to execute arbitrary commands by configuring the sendmail binary path and sending a test email. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22601.

In OpenProject versions 16.6.1 and below a low severity vulnerability CVE-2026-22602 was detected. This vulnerability allows a low‑privileged logged-in user to enumerate and view the full names of other users due to predictable sequential user IDs, both via the web interface and the API. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22602.

In Kimai version 1.30.10 a critical severity vulnerability CVE-2023-53957 was detected. This vulnerability allows attackers to exploit improper SameSite cookie handling to steal user session cookies, potentially leading to session hijacking. An attacker can trick a victim into executing a crafted PHP script that captures and writes session cookie data, enabling unauthorized access to the user’s account. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-53957.

In Kanboard versions prior to 1.2.47 a medium severity vulnerability CVE-2025-55011 was detected. This vulnerability allows attackers to write files anywhere on the system the application user controls due to missing validation of the task_id parameter and lack of path traversal checks in the createTaskFile API method. To address this issue users should upgrade Kanboard to version 1.2.47 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55011.

In Kanboard versions prior to 1.2.47 a critical severity vulnerability CVE-2025-55010 was detected. This vulnerability allows attackers with admin access to achieve remote code execution by exploiting unsafe deserialization in the ProjectEventActivityFormatter via the event[“data”] field in the project_activities table, potentially writing a web shell to the /plugins folder. To address this issue, users should upgrade Kanboard to version 1.2.47 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55010.

In Kimai versions 0.9.2.beta, 0.9.2.1294.beta and 0.9.2.1306-3 a critical severity vulnerability CVE-2013-10033 was detected. This vulnerability allows unauthenticated attackers to perform SQL injection via the db_restore.php endpoint’s dates[] POST parameter, which under certain conditions can be exploited to write arbitrary files and achieve remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2013-10033.