cve-2026-53634 let authenticated sharp users bypass create authorization through quick creation command endpoints
cve-2026-49355 exposed private work package data through the single meeting agenda item api in openproject
cve-2026-50198 and cve-2026-50199 in wallos both came from cross-user references being accepted first and trusted later