CVE-2026-34717

CRITICAL9.9Injection

Description

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

Affected products

opf / openproject< 17.2.3 – < 17.2.3

References

VENDOR_ADVISORYhttps://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364
PATCHhttps://github.com/opf/openproject/releases/tag/v17.2.3

Updated 4m ago · 2 sources