CVE-2026-25763

CRITICAL EPSS 36.6%
Published Feb 6, 20264mo ago · Modified Jun 17, 20262w ago
9.4 CVSS 4.0
Critical
Find Similar
Published Feb 6, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3.

CVSS Details

Base Score
9.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
36.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 2

VendorProductVersionRange
openprojectopenproject* <16.6.7
openprojectopenproject*≥17.0.0  –  <17.0.3

References 3

  • github.com https://github.com/opf/openproject/releases/tag/v16.6.7
    ProductRelease Notes
  • github.com https://github.com/opf/openproject/releases/tag/v17.0.3
    ProductRelease Notes
  • github.com https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.