Lucene search
K

401 matches found

NVD
NVD
added 2026/03/06 8:16 p.m.6 views

CVE-2026-30845

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

8.2CVSS0.00291EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.9 views

CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS0.00345EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.6 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS0.00218EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/06 7:37 p.m.27 views

CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS0.00235EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:37 p.m.2 views

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 7:37 p.m.2 views

CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3
CVE
CVE
added 2026/03/06 7:37 p.m.16 views

CVE-2026-30847

Summary : Wekan versions 8.31.0–8.33 are affected by an insecure publication in the notificationUsers publication, which returns complete user documents with no field filtering. This exposes highly sensitive fields (bcrypt password hashes, active session login tokens, email verification tokens, f...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/06 7:37 p.m.5 views

EUVD-2026-10066

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3
OSV
OSV
added 2026/03/06 7:37 p.m.5 views

CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/06 7:35 p.m.3 views

CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/06 7:35 p.m.7 views

EUVD-2026-10065

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:35 p.m.4 views

CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/06 7:35 p.m.14 views

CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:34 p.m.5 views

CVE-2026-30845

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

6.9CVSS5.7AI score0.00291EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 7:34 p.m.3 views

CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

6.9CVSS5.7AI score0.00291EPSS
Exploits0References3
OSV
OSV
added 2026/03/06 7:34 p.m.4 views

CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

6.9CVSS5.7AI score0.00291EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/06 7:33 p.m.37 views

CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS0.00235EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:33 p.m.16 views

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/03/06 7:33 p.m.23 views

CVE-2026-30844

Wekan (versions 8.32 and 8.33) is vulnerable to SSRF via attachment URL loading during board import. User-supplied JSON data contains attachment URLs that are read by the server without URL validation or filtering. The parseActivities() and parseActions() flows extract these URLs and pass them to...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/06 7:33 p.m.6 views

EUVD-2026-10063

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References3
Rows per page
Query Builder