2 matches found
CVE-2026-58660
Kanboard
CVE-2026-58660 Kanboard BoardAjaxController Missing Ownership Check via Drag-and-Drop
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save method used by the kanban board drag-and-drop endpoint validates the caller's role on the attacker-supplied projectid but never verifies that the supplied taskid actually belongs to that project. Because task identifiers a...