CRITICAL🇵🇱 Wersja polska

CVE-2026-25763

CVSS 9.4v4.0pub. 2026-02-06upd. 2026-02-13

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Openproject

    APP
    Openproject
    < 16.6.717.0.0 – 17.0.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-34717CRITICAL9.9PL ✓ten sam produkt

SQL Injection w OpenProject — operator =n bez parametryzacji zapytań

CVE-2026-32703CRITICAL9.0PL ✓ten sam produkt

Stored XSS w module Repositories aplikacji OpenProject

CVE-2026-32698CRITICAL9.1PL ✓ten sam produkt

SQL Injection w OpenProject umożliwiający zdalne wykonanie kodu Ruby

CVE-2026-24685CRITICAL9.4PL ✓ten sam produkt

OpenProject: command injection w endpoincie diff repozytorium (zapis dowolnych plików)

CVE-2026-22600CRITICAL9.1PL ✓ten sam produkt

OpenProject — odczyt lokalnych plików przez SVG/ImageMagick przy eksporcie PDF