These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-52783 is a high-severity vulnerability in OpenProject's Storages module. Prior to versions 17.3.3 and 17.4.1, the module writes OneDrive/SharePoint userless OAuth access tokens in plaintext to Rails.cache. The tokens are continuously repopulated by an hourly cron job and every userless-OAuth call site. Since none of the three allowed cache backends (file_store, memcache, redis) encrypts data at r [truncated]
CVE-2026-52781 is a medium-severity vulnerability in OpenProject, an open-source project management software. The issue lies in the HTML sanitizer, which grants <macro> elements unrestricted data-* attributes via :data wildcard. This allows an attacker to inject malicious attributes, such as data-controller='poll-for-changes', into a work package description. Consequently, Stimulus.js mounts a controller [truncated]
CVE-2026-44733 is a medium-severity vulnerability in OpenProject, an open-source, web-based project management software. The vulnerability, classified as a business logic error, allows attackers to bypass password requirements through a PATCH request to /api/v3/users/me. This is possible due to a password validation flaw in the change password behavior, which can be exploited with an active session takeov [truncated]