MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.4	CVE-2026-52781	OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter “description”_CVE-2026-52781 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted dat...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
MEDIUM 5.4	CVE-2026-52779	OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects_CVE-2026-52779 OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusi...	opf	openproject < 17.3.3	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-55838	RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics_CVE-2026-55838 RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metric...	rustfs	rustfs <= 1.0.0-beta.7	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-49355	OpenProject: Private work package data disclosure through single meeting agenda item API_CVE-2026-49355 OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id`...	opf	openproject < 17.4.0	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44736	OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects_CVE-2026-44736 OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated use...	opf	openproject < 17.4.0	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44735	OpenProject: Shares API Information Disclosure_CVE-2026-44735 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share detail...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 6.5	CVE-2026-44734	OpenProject: Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename_CVE-2026-44734 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in Open...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 5.9	CVE-2026-44733	OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements_CVE-2026-44733 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH re...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-44732	OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter “project_id” leads to Unauthorized Modification of Resources_CVE-2026-44732 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used ...	opf	openproject < 17.3.2	Jun 26, 2026	CVE
MEDIUM 4.3	CVE-2026-44731	OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via “invited_user_id” in GET parameter “filters” leads to user names disclosure_CVE-2026-44731 OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks ...	opf	openproject < 17.3.2	Jun 26, 2026	CVE