Theonedev Onedev
18 CVEs affecting Theonedev Onedev. Latest disclosed: 2026-05-14. Critical: 9, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-21245 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) t… |
CVE-2021-21242 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. At… |
CVE-2021-21243 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from th… |
CVE-2021-21244 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean… |
CVE-2022-39206 | Critical | 9.9 | 2022-09-13 | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on… |
CVE-2021-21247 | Critical | 9.6 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior… |
CVE-2021-21249 | Critical | 9.6 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execu… |
CVE-2021-21248 | Critical | 9.6 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec i… |
CVE-2022-39205 | Critical | 9.0 | 2022-09-13 | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev insta… |
CVE-2021-21246 | High | 8.6 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only admini… |
CVE-2023-24828 | High | 8.1 | 2023-02-07 | Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was n… |
CVE-2021-21250 | High | 7.7 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpe… |
CVE-2021-21251 | High | 7.7 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file wri… |
CVE-2022-39208 | High | 7.5 | 2022-09-13 | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenti… |
CVE-2022-39207 | Medium | 5.4 | 2022-09-13 | Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They c… |
CVE-2021-32651 | Low | 3.1 | 2021-06-01 | OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manip… |
CVE-2026-44647 | | 2026-05-14 | OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS… | |
CVE-2024-45309 | | 2024-10-21 | OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files acces… |