4 matches found
CVE-2026-59154 Wekan: Checklist direct DDP updates can write checklist data into private boards
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination...
CVE-2026-59154
The CVE affects Wekan (open‑source Kanban) prior to version 9.64. A cross‑board authorization bypass exists in the direct Meteor collection allow rules for Checklists and ChecklistItems: updates are authorized only against the current source doc.cardId and do not inspect destination cardId or boa...
EUVD-2026-42935
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination...
PT-2026-6931
Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.19 Description An authorization issue exists in WeKan where the allowPrivateOnly instance configuration setting is not fully enforced during board creation. When allowPrivateOnly is enabled, users are still able to...