CVE-2026-34717

Published April 2nd, 2026

View on NVD ↗

CVSS v3

9.9

CRITICAL

CVSS v2

N/A

Affected

PROJECT

Description

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.

opf/openproject

OpenProject is the leading open source project management software.

GitHub

15.3K