CVE-2026-5624 - Vulnerability Details

- ProjectSend upload.php cross-site request forgery

Description

A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.

Published: 2026-04-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ProjectSend r2002 contains a flaw in upload.php that permits cross‑site request forgery. An attacker could send a crafted HTTP request that triggers an action normally protected by the user’s session, allowing unauthorized file uploads or other privileged actions. The CVE description refers to this as a CSRF vulnerability (CWE‑352) and notes that the exploit has been publicly released, indicating that remote attackers can target the vulnerable component.

Affected Systems

Any installation of ProjectSend running version r2002 or earlier is affected, since the flaw resides in upload.php. The vendor recommends upgrading to release r2029, which incorporates the fix identified by commit 2c0d25824ab571b6c219ac1a188ad9350149661b. No other products or vendors are listed.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, though EPSS data is not available and the vulnerability is not listed in the KEV catalog. Based on the description, it is inferred that the attack can be initiated remotely, and the existence of a public exploit suggests that attackers can employ the flaw to perform unauthorized actions over the network. Consequently, the risk is moderate and the vulnerability can be exploited without specialized prerequisites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ProjectSend

affected

Version	Status	Constraints
`r2002`	affected	—
`r2029`	unaffected	—

No data.

Vendor Product Confidence Versions

Projectsend

95%

Version	Status	Scheme	Platform
`r2002`	affected	generic	—
`r2029`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ProjectSend to r2029
Apply the patch commit 2c0d25824ab571b6c219ac1a188ad9350149661b if upgrading is not possible
Verify the application reports the latest version

Generated by OpenCVE AI on April 6, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/projectsend/projectsend/
https://github.com/projectsend/projectsend/commit/2c0d25824ab571b6c219ac1a188ad9350149661b
https://github.com/projectsend/projectsend/releases/tag/r2029
https://vuldb.com/submit/785731
https://vuldb.com/vuln/355414
https://vuldb.com/vuln/355414/cti

History

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version r2029 is able to resolve this issue. The patch is named 2c0d25824ab571b6c219ac1a188ad9350149661b. You should upgrade the affected component.
Title		ProjectSend upload.php cross-site request forgery
First Time appeared		Projectsend Projectsend projectsend
Weaknesses		CWE-352 CWE-862
CPEs		cpe:2.3:a:projectsend:projectsend::::::::
Vendors & Products		Projectsend Projectsend projectsend
References		https://github.com/projectsend/projectsend/ https://github.com/projectsend/projectsend/commit/2c0d25824ab571b6c219ac1a188ad9350149661b https://github.com/projectsend/projectsend/releases/tag/r2029 https://vuldb.com/submit/785731 https://vuldb.com/vuln/355414 https://vuldb.com/vuln/355414/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectsend Projectsend

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T05:00:19.673Z

Updated: 2026-04-06T14:49:43.498Z

Reserved: 2026-04-05T16:51:21.775Z

Link: CVE-2026-5624

Vulnrichment

Updated: 2026-04-06T13:58:20.848Z

NVD

Status : Deferred

Published: 2026-04-06T06:16:21.623

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5624

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:47:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object