How severe is CVE-2026-22601?

CVE-2026-22601 has a CVSS v3 score of 7.2 (HIGH).

CVE-2026-22601

Name: openproject
Author: openproject

7.2HIGH

OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary

Published: 1/10/2026Updated: 1/14/2026

Description

OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2.

AI AnalysisPowered by AI

Affected Products

openprojectopenproject

References

https://github.com/opf/openproject/releases/tag/v16.6.2
Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc
Vendor Advisory