MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 4.3	CVE-2026-49355	OpenProject: Private work package data disclosure through single meeting agenda item API_CVE-2026-49355 OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id`...	opf	openproject < 17.4.0	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44736	OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects_CVE-2026-44736 OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated use...	opf	openproject < 17.4.0	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44735	OpenProject: Shares API Information Disclosure_CVE-2026-44735 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share detail...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44734	OpenProject: Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename_CVE-2026-44734 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in Open...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 5.9	CVE-2026-44733	OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements_CVE-2026-44733 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH re...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-44732	OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter “project_id” leads to Unauthorized Modification of Resources_CVE-2026-44732 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used ...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-44731	OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via “invited_user_id” in GET parameter “filters” leads to user names disclosure_CVE-2026-44731 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks ...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 5.7	CVE-2026-44696	OpenProject: Stored CSS injection via Sanitize::Config::RELAXED[:css] enables phishing overlays and data exfiltration_CVE-2026-44696 OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sani...	opf	openproject < 17.4.0	Jun 26, 2026	CVE
MEDIUM 5.3	CVE-2026-29509	Patool < 4.0.5 Path Traversal via safe_extract() Function_CVE-2026-29509 Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Pytho...	wummel	patool	Jun 26, 2026	CVE
MEDIUM 5	CVE-2026-48770	Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash_CVE-2026-48770 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malfor...	notepad-plus-plus	notepad-plus-plus < 8.9.6.1	Jun 26, 2026	CVE