2 matches found
CVE-2026-58660
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save method used by the kanban board drag-and-drop endpoint validates the caller's role on the attacker-supplied projectid but never verifies that the supplied taskid actually belongs to that project. Because task identifiers a...
Anyone can create disputes if contractor is not set
Lines of code Vulnerability details Impact Disputes enable an actor to arbitrate & potentially enforce requested state changes. However, the current implementation does not properly implement authorization, thus anyone is able to create disputes and spam the system with invalid disputes. Proof of...