Lucene search
+L

433 matches found

OSV
OSV
added 2026/04/22 9:8 p.m.5 views

CVE-2026-41454 WeKan < 8.35 Missing Authorization via Integration REST API

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new...

8.7CVSS6AI score0.00274EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.9 views

WeKan 代码问题漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.35 contained code vulnerabilities. These vulnerabilities stemmed from the webhook integration URL processing, where the url pattern field allowed any string without protocol restrictions or target...

8.5CVSS5.9AI score0.00236EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.13 views

PT-2026-34568

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new...

8.7CVSS5.8AI score0.00274EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.7 views

PT-2026-34569

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...

8.5CVSS6AI score0.00236EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

WeKan 安全漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.35 contained security vulnerabilities. These vulnerabilities stemmed from insufficient authorization checks for Integration REST API endpoints, which could allow authenticated dashboard members to perfo...

8.7CVSS5.8AI score0.00274EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.7 views

CVE-2026-30845

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

8.2CVSS5.7AI score0.00291EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.7 views

CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.4 views

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.5 views

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS5.8AI score0.00235EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/07 7:31 p.m.9 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References1
NVD
NVD
added 2026/03/06 8:16 p.m.8 views

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS0.00235EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.8 views

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

9.3CVSS0.00235EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.6 views

CVE-2026-30845

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

8.2CVSS0.00291EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.9 views

CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS0.00345EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 8:16 p.m.6 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS0.00218EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:37 p.m.2 views

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/06 7:37 p.m.27 views

CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS0.00235EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/06 7:37 p.m.2 views

CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3
CVE
CVE
added 2026/03/06 7:37 p.m.16 views

CVE-2026-30847

Summary : Wekan versions 8.31.0–8.33 are affected by an insecure publication in the notificationUsers publication, which returns complete user documents with no field filtering. This exposes highly sensitive fields (bcrypt password hashes, active session login tokens, email verification tokens, f...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/06 7:37 p.m.5 views

EUVD-2026-10066

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

9.3CVSS5.7AI score0.00235EPSS
Exploits0References3
Rows per page
Query Builder