CNNVD-202601-1776 Information

CNNVD ID

CNNVD-202601-1776

Related CVE

CVE-2026-22600

• CNNVD Published: 2026-01-10

Description (Chinese)

OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 16.6.4之前版本存在信息泄露漏洞，该漏洞源于工作包PDF导出功能存在本地文件读取漏洞，攻击者可通过上传特制SVG文件，利用后端图像处理引擎读取任意本地文件。

Description (English)

OpenProject is a Web-based project management software from OpenProject Open Source. The leak of information in the previous version of OpenProject 16.6.4 stems from the fact that there is a local file reading gap in the PDF export function of the work package and that the assailant can read any local file using the backend image processing engine by uploading a special SVG file.

Hazard Level

Low

Vulnerability Type

信息泄露

Affected Vendor

OpenProject

Published

2026-01-10

Last Modified

2026-02-24

References

https://github.com/opf/openproject/releases/tag/v16.6.4 https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh

Patch

https://github.com/opf/openproject/releases