CVE-2026-24007

MEDIUM

Tuleap - CSRF

Title source: llm

Description

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.

References (4)

[Various Sources] https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5

[Various Sources] https://tuleap.net/plugins/tracker/?aid=46389

[Patch] https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw

Scores

CVSS v3 4.6

EPSS 0.0001

EPSS Percentile 0.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Classification

CWE

CWE-352

Status published

Affected Products (2)

enalean/tuleap < 17.0-9

enalean/tuleap < 17.0.99.1768924735

Timeline

Published Feb 02, 2026

Tracked Since Feb 18, 2026