2 matches found
CVE-2026-59154
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination...
Trello: Using WebSocket I can always access organization data even if I am removed
When a user is a member of a team, they are allowed to connect to an update channel that sends them notifications when the team changes. There were some cases where a team member might receive an update that included the name of board that was in their team … even if they weren't a member of that...