Release date: 2026-03-31
We released OpenProject OpenProject 17.1.4.
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
Security fixes
CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string
The =n operator in cost reports did not appropriately treat user input
This vulnerability was reported by user Ochk0 through a GitHub security advisory. Thank you for responsibly disclosing your findings.
For more information, please see the GitHub advisory #GHSA-5rrm-6qmq-2364