CVE-2026-41255

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect,...

CVE-2023-50248

CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the /dataset/new endpoint including either the auth cookie or the Authorization header with a specially-craft...

CVE-2024-41674

CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL potentially including credentials could be leaked to packagesearch calls as part of the returned error message. This has been patched ...

CKAN vulnerable to fixed session IDs

Impact Session ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers...

CVE-2025-64100

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to...

CVE-2025-64100 CKAN Vulnerable to Session Cookie Fixation

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to...

PT-2025-44340

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.10.9 CKAN versions prior to 2.11.4 Description CKAN, an open-source data management system, is affected by an issue where session identifiers could be predictable by an attacker if the system is configured to use...

PT-2025-44311

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.10.9 CKAN versions prior to 2.11.4 Description CKAN, an open-source data management system, contains a flaw in the helpers.markdown extract function. Insufficient input sanitization before wrapping data in an HTML...

EUVD-2021-0042

Malware in sbrugna...

EUVD-2023-3144

Malicious code in bioql PyPI...

CVE-2022-43685

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts...

Arbitrary Code Execution

ckan is vulnerable to Arbitrary Code Execution. The vulnerability is due to insufficient validation of uploaded files, allowing a specially crafted file to execute code when opened by an administrator, potentially leading to privilege escalation or other malicious actions...

PT-2025-5744 · Ckan · Ckan

Name of the Vulnerable Software and Affected Versions: CKAN versions prior to 2.10.7 and 2.11.2 Description: CKAN is an open-source data management system for powering data hubs and data portals. A user could potentially upload a file containing code that, when executed, could send arbitrary...

PT-2024-21647 · Ckan · Ckan

Name of the Vulnerable Software and Affected Versions: CKAN versions prior to 2.9.11 CKAN versions prior to 2.10.4 Description: A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log...

CKAN 安全漏洞

CKAN is an open source Dms data management system. Used to power data centers and data portals. A security vulnerability exists in CKAN versions prior to 5.4.1, which stems from the fact that if a user does not set a custom value via an environment variable in the .env file, a key is shared betwe...

PT-2022-27001 · Ckan · Ckan

Name of the Vulnerable Software and Affected Versions: CKAN versions 2.9.6 and earlier Description: The issue allows unauthenticated users to take over existing accounts, including superuser accounts, by sending an existing user id via an HTTP POST request. This enables an attacker to gain contro...

CVE-2022-43685

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts...

CVE-2021-25967 CKAN - Stored Cross-Site Scripting (XSS) via SVG File Upload

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...