Skip to main content

Onedev

23 CVEs product

Monthly

CVE-2026-49248 HIGH PATCH This Week

Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.

Authentication Bypass Onedev
NVD GitHub
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-11441 MEDIUM PATCH This Month

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11440 MEDIUM PATCH This Month

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11439 MEDIUM PATCH This Month

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11438 MEDIUM PATCH This Month

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Authentication Bypass Onedev
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2024-45309 HIGH POC PATCH THREAT This Week

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Onedev
NVD GitHub
CVSS 4.0
8.7
EPSS
24.8%
CVE-2023-24828 HIGH PATCH This Week

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-38301 HIGH POC PATCH This Week

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-39208 HIGH POC PATCH This Week

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Path Traversal Onedev
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-39207 MEDIUM POC PATCH This Month

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Onedev
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-39206 CRITICAL POC PATCH Act Now

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Docker Code Injection Onedev
NVD GitHub
CVSS 3.1
9.9
EPSS
1.7%
CVE-2022-39205 CRITICAL POC PATCH Act Now

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Authentication Bypass Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-32651 MEDIUM POC PATCH This Month

OneDev is a development operations platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection LDAP Onedev
NVD GitHub
CVSS 3.1
4.3
EPSS
1.1%
CVE-2021-21251 HIGH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
12.2%
CVE-2021-21250 MEDIUM PATCH This Month

OneDev is an all-in-one devops platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Onedev
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-21249 HIGH PATCH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
2.9%
CVE-2021-21248 HIGH PATCH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-21247 HIGH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Onedev
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-21246 HIGH POC PATCH THREAT This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Information Disclosure Authentication Bypass Onedev
NVD GitHub
CVSS 3.1
7.5
EPSS
49.1%
CVE-2021-21245 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-21242 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
74.2%
CVE-2021-21244 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-21243 CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Kubernetes Onedev
NVD GitHub
CVSS 3.1
9.8
EPSS
54.5%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.

Authentication Bypass Onedev
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.

Authentication Bypass Onedev
NVD VulDB GitHub
EPSS 25% CVSS 8.7
HIGH POC PATCH THREAT This Week

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Onedev
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Onedev
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Onedev
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Path Traversal Onedev
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Onedev
NVD GitHub
EPSS 2% CVSS 9.9
CRITICAL POC PATCH Act Now

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Docker Code Injection Onedev
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Authentication Bypass Onedev
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

OneDev is a development operations platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection LDAP Onedev
NVD GitHub
EPSS 12% CVSS 8.8
HIGH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Onedev
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

OneDev is an all-in-one devops platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Onedev
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Onedev
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Onedev
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Onedev
NVD GitHub
EPSS 49% CVSS 7.5
HIGH POC PATCH THREAT This Week

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Information Disclosure Authentication Bypass Onedev
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Onedev
NVD GitHub
EPSS 74% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Onedev
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Onedev
NVD GitHub
EPSS 54% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Kubernetes Onedev
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy