CVE-2026-22601
HIGH WAF: High
CVSS 7.2
Published: 2026-01-10
CWE-77
OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openproject | openproject | up to 16.6.2 |
References
- github.com (Release Notes)
- github.com (Vendor Advisory)