Redmine Security Report for version 5.1.12
Redmine 5.1.12 was released 1 day ago on March 17, 2026. It is subject to one known vulnerability.
What now?
We strongly recommend you update your Redmine to the latest version.
Not enough time to keep Redmine secure?
Move to Professionally Hosted Redmine by Planio.
Move to Professionally Hosted Redmine by Planio.
Detailed Analysis
-
Remote Code Execution (RCE)
An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name. -
Unsafe eval usage in AttachmentsHelperLowCustom plugins calling the render_api_attachment helper with user-controlled data may cause a remote code execution vulnerability. Redmine on its own is not vulnerable here.Fixed in:
6.0.0