CVE-2025-55010
Kanboard before 1.2.47 is affected by an unsafe deserialization in ProjectEventActvityFormatter that lets an admin modify event["data"] in project_activities to instantiate arbitrary PHP objects, enabling a gadget to write a web shell in /plugins and achieve remote code execution. The issue has b...