CVE-2026-34717 Openproject — Exploit & Vulnerability Details CRITICAL

CVE-2026-34717

CRITICAL CVSS 3.1: 9.9 EPSS 0.05%

Parameter	Value
CVSS	9.9 (CRITICAL)
Fixed In	17.2.3
Type	CWE-89 (SQL Injection)
Vendor	Openproject
Public PoC	No

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-89 SQL Injection

References 2

https://github.com/opf/openproject/releases/tag/v17.2.3

security-advisories@github.com

https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33667

Openproject

7.4

CVE-2026-32703

Openproject

5.4

CVE-2026-31974

Openproject

4.3

CVE-2026-30239

Openproject

7.1

CVE-2026-30236

Openproject

4.3

Menu

CVE-2026-34717

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-33667

CVE-2026-32703

CVE-2026-31974

CVE-2026-30239

CVE-2026-30236

CVE Details

Editor's Choice

Menu

CVE-2026-34717

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-33667

CVE-2026-32703

CVE-2026-31974

CVE-2026-30239

CVE-2026-30236

CVE Details

Editor's Choice

Stay informed on cybersecurity