CVE-2026-32698 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 18, 2026
OpenProject - SQL Injection & Remote Code Execution
Overview
OpenProject < 16.6.9, 17.0.6, 17.1.3, and 17.2.1 contains an SQL injection caused by improper sanitization of custom field names in Cost Reports, letting administrators execute arbitrary SQL commands and inject Ruby code via project identifier manipulation.
Severity & Score
Impact
Administrators can execute arbitrary SQL commands and inject Ruby code, potentially leading to full system compromise.
Mitigation
Upgrade to versions 16.6.9, 17.0.6, 17.1.3, or 17.2.1 or later.
Social Media Activity(2 posts)
š“ CVE-2026-32698 - Critical (9.1) OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the c... š https://www.thehackerwire.com/vulnerability/CVE-2026-32698/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-32698 - Critical (9.1) OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the c... š https://www.thehackerwire.com/vulnerability/CVE-2026-32698/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32698
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- sql_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H