Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.
AnalysisAI
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via the =n operator. Affects all versions prior to 17.2.3. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated access to the OpenProject instance with permissions to access the reporting module. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk assessment reveals a nuanced threat profile despite the critical CVSS 9.9 rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with low-privilege access to an OpenProject instance navigates to the reporting module and crafts a custom report filter using the equals-not (=n) operator. By injecting SQL metacharacters and commands into the filter value field (for example: ' OR 1=1 UNION SELECT password FROM users --), the attacker bypasses input validation and causes the reporting module to execute arbitrary SQL against the backend database. … |
| Remediation | Upgrade to OpenProject version 17.2.3 immediately, as confirmed by the official release at https://github.com/opf/openproject/releases/tag/v17.2.3 and security advisory GHSA-5rrm-6qmq-2364. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenProject instances and identify those running versions prior to 17.2.3; assess which have internet exposure or are accessible to untrusted internal users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allAuthenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke
Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse
Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id c
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18470