Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote malicious users to bypass authentication via a crafted post request.
flyspray flyspray 0.9.9