CVE-2020-36988 - PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
CVE ID : CVE-2020-36988
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36988
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2020-36989 - ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path
CVE ID : CVE-2020-36989
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36989
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2020-36990 - Input Director 1.4.3 - 'Input Director' Unquoted Service Path
CVE ID : CVE-2020-36990
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36990
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2020-36991 - ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path
CVE ID : CVE-2020-36991
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36991
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2020-36992 - Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path
CVE ID : CVE-2020-36992
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36992
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2020-36993 - LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting
CVE ID : CVE-2020-36993
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2020-36993
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14865 - Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-14865
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14865
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1056 - Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal
CVE ID : CVE-2026-1056
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1056
Published : Jan. 28, 2026, 1:15 p.m. | 57 minutes ago
Description : The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14795 - Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
CVE ID : CVE-2025-14795
Published : Jan. 28, 2026, 1:26 p.m. | 47 minutes ago
Description : The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14795
Published : Jan. 28, 2026, 1:26 p.m. | 47 minutes ago
Description : The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1536 - Libsoup: libsoup: http header injection or response splitting via crlf injection in content-disposition header
CVE ID : CVE-2026-1536
Published : Jan. 28, 2026, 3:15 p.m. | 1 hour, 1 minute ago
Description : A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1536
Published : Jan. 28, 2026, 3:15 p.m. | 1 hour, 1 minute ago
Description : A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1539 - Libsoup: libsoup: credential leakage via http redirects
CVE ID : CVE-2026-1539
Published : Jan. 28, 2026, 3:15 p.m. | 1 hour, 1 minute ago
Description : A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1539
Published : Jan. 28, 2026, 3:15 p.m. | 1 hour, 1 minute ago
Description : A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1060 - WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API
CVE ID : CVE-2026-1060
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1060
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1237 - Juju Charm Cross-Model Authorization Bypass
CVE ID : CVE-2026-1237
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1237
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1520 - rethinkdb Secondary Index cross site scripting
CVE ID : CVE-2026-1520
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1520
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1521 - Open5GS SGWC s5c-handler.c denial of service
CVE ID : CVE-2026-1521
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1521
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-23014 - perf: Ensure swevent hrtimer is properly destroyed
CVE ID : CVE-2026-23014
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-23014
Published : Jan. 28, 2026, 3:16 p.m. | 1 hour, 1 minute ago
Description : In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58150 - x86: buffer overrun with shadow paging + tracing
CVE ID : CVE-2025-58150
Published : Jan. 28, 2026, 3:33 p.m. | 44 minutes ago
Description : Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58150
Published : Jan. 28, 2026, 3:33 p.m. | 44 minutes ago
Description : Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-23553 - x86: incomplete IBPB for vCPU isolation
CVE ID : CVE-2026-23553
Published : Jan. 28, 2026, 3:33 p.m. | 43 minutes ago
Description : In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-23553
Published : Jan. 28, 2026, 3:33 p.m. | 43 minutes ago
Description : In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0750 - Payment bypass in Commerce Paybox
CVE ID : CVE-2026-0750
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0750
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24772 - OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server
CVE ID : CVE-2026-24772
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Severity: 8.9 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24772
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled.
Severity: 8.9 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24775 - OpenProject has Forced Actions, Content Spoofing, and Persistent DoS via ID Manipulation in OpenProject Blocknote Editor Extension
CVE ID : CVE-2026-24775
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24775
Published : Jan. 28, 2026, 7:16 p.m. | 1 hour, 2 minutes ago
Description : OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...