Lucene search
+L

433 matches found

Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.5 views

PT-2026-23749

🚨 CVE-2026-30847 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such a...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/06 12:0 a.m.7 views

WeKan 安全漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions 8.32 and 8.33 of WeKan contain security vulnerabilities. These vulnerabilities stem from insecure direct object references, which could allow unauthorized users to modify custom fields across dashboards...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/06 12:0 a.m.7 views

WeKan 安全漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan from 8.31.0 to 8.33 contain security vulnerabilities. These vulnerabilities stem from the lack of field filtering during integrated data publishing, which may lead to the exposure of Webhook credentials...

8.2CVSS5.8AI score0.00291EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.16 views

PT-2026-23746

🚨 CVE-2026-30846 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.7 views

PT-2026-23743

🚨 CVE-2026-30843 Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.10 views

PT-2026-23744

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References4
CNVD
CNVD
added 2026/02/11 12:0 a.m.5 views

WeKan has an unspecified vulnerability

WeKan is a Kanban application from WeKan open source. WeKan suffers from a security vulnerability that can be exploited by an attacker to spoof the author of a recorded comment by providing another user's identifier...

5.3CVSS5.9AI score0.00246EPSS
Exploits0References1
CNVD
CNVD
added 2026/02/11 12:0 a.m.4 views

Unspecified vulnerability in WeKan (CNVD-2026-11748)

WeKan is a Kanban application from WeKan open source. WeKan has a security vulnerability that can be exploited by an attacker to cause a user with a read-only role to perform card updates that require write access...

7.1CVSS5.9AI score0.00277EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.9 views

CVE-2026-2209

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotel...

6.5CVSS6AI score0.00188EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.5 views

CVE-2026-2205

A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to...

5.3CVSS4.7AI score0.00235EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.5 views

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

5.3CVSS5.3AI score0.00246EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.5 views

CVE-2026-25562

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users...

5.3CVSS5.4AI score0.00287EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.4 views

CVE-2026-2208

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended ...

6.5CVSS4.6AI score0.00244EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.7 views

CVE-2026-25565

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access...

7.1CVSS5.3AI score0.00277EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.5 views

CVE-2026-25560

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication...

9.8CVSS5.4AI score0.00654EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.6 views

CVE-2026-25859

Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations...

8.8CVSS5.2AI score0.00343EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.7 views

CVE-2026-25568

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement...

7.1CVSS5.3AI score0.0019EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.6 views

CVE-2026-2207

A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely...

6.9CVSS5.3AI score0.00342EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.6 views

CVE-2026-25561

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers such as boardId, cardId, swimlaneId, and listId are consistent and refer to a coherent card/board relationship, enabling attempts to upload...

7.5CVSS5.3AI score0.0028EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/09 1:33 a.m.8 views

CVE-2026-25566

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially...

7.1CVSS5.3AI score0.00222EPSS
Exploits0References1
Rows per page
Query Builder