| Bug | Description |
|---|
| TEMP-0000000-838979 | Escape href attribute in auto links |
| TEMP-0000000-56C871 | Fixes permission check in QueriesController |
| CVE-2025-4011 | A vulnerability has been found in Redmine 6.0.0/6.0.1/6.0.2/6.0.3 and ... |
| CVE-2023-47260 | Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails ... |
| CVE-2023-47259 | Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile ... |
| CVE-2023-47258 | Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown ... |
| CVE-2022-44637 | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in i ... |
| CVE-2022-44031 | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in i ... |
| CVE-2022-44030 | Redmine 5.x before 5.0.4 allows downloading of file attachments of any ... |
| CVE-2021-42326 | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of ... |
| CVE-2021-37156 | Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon ... |
| CVE-2021-31866 | Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to lear ... |
| CVE-2021-31865 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allow ... |
| CVE-2021-31864 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allow ... |
| CVE-2021-31863 | Insufficient input validation in the Git repository integration of Red ... |
| CVE-2021-30164 | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass ... |
| CVE-2021-30163 | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discov ... |
| CVE-2021-29274 | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mi ... |
| CVE-2020-36308 | Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discov ... |
| CVE-2020-36307 | Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile ... |
| CVE-2020-36306 | Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url f ... |
| CVE-2019-25026 | Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data duri ... |
| CVE-2019-18890 | A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x befor ... |
| CVE-2019-17427 | In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists ... |
| CVE-2017-18026 | Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ... |
| CVE-2017-16804 | In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function ... |
| CVE-2017-15577 | Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering o ... |
| CVE-2017-15576 | Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rend ... |
| CVE-2017-15575 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a che ... |
| CVE-2017-15574 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible ... |
| CVE-2017-15573 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because mar ... |
| CVE-2017-15572 | In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can o ... |
| CVE-2017-15571 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15570 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15569 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2017-15568 | In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ... |
| CVE-2016-10515 | In Redmine before 3.2.3, there are stored XSS vulnerabilities affectin ... |
| CVE-2015-8537 | app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before ... |
| CVE-2015-8477 | Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allow ... |
| CVE-2015-8474 | Open redirect vulnerability in the valid_back_url function in app/cont ... |
| CVE-2015-8473 | The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ... |
| CVE-2015-8346 | app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ... |
| CVE-2014-1985 | Open redirect vulnerability in the redirect_back_or_default function i ... |
| CVE-2012-2054 | Redmine before 1.3.2 does not properly restrict the use of a hash to p ... |
| CVE-2012-0327 | Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allow ... |
| CVE-2011-4929 | Unspecified vulnerability in the bazaar repository adapter in Redmine ... |
| CVE-2011-4928 | Cross-site scripting (XSS) vulnerability in the textile formatter in R ... |
| CVE-2011-4927 | Unspecified vulnerability in the bazaar repository adapter in Redmine ... |
| CVE-2009-4459 | Redmine 0.8.7 and earlier uses the title tag before defining the chara ... |
| CVE-2009-4079 | Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and e ... |
| CVE-2009-4078 | Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 a ... |