39 matches found
CVE-2023-31779
Wekan v6.84 and earlier is vulnerable to Cross‑Site Scripting (XSS) via the "Reaction to comment" feature. A user with board privileges can inject JavaScript in responses to comments, with the exploit scenario noting potential token theft (e.g., Meteor.loginToken) and page content changes for phi...
CVE-2026-2205
WeKan up to 8.20 is affected in the Meteor Publication Handler component, specifically the file server/publications/cards.js, allowing information disclosure via a remote attack. The public descriptions indicate upgrading to version 8.21 mitigates the issue and reference the patch 0f5a9c38778ca55...
CVE-2021-3309
CVE-2021-3309 affects the Wekan LDAP integration: the module at packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections that are not authorized by the Certification Authority trust store, due to improper CA trust verification. This vulnerability could impact confidentialit...
CVE-2021-20654
Wekan (versions 3.12–4.11) is vulnerable to multiple stored cross-site scripting (Fieldbleed). Root cause cited as improper validation of client-side data leading to CWE-79. Impact: a logged-in user can store malicious input that executes JavaScript in other users’ browsers. Remediation: update t...
CVE-2018-1000549
CVE-2018-1000549 concerns Wekan, v1.04.0, which has an email/username enumeration flaw on the Register and Forgot Password pages. The underlying issue allows a remote attacker to perform a brute-force-style harvest to obtain valid usernames and email addresses, with the attack exploitable over HT...
CVE-2023-28485
CVE-2023-28485 affects WeKan prior to 6.75, stemming from a Stored XSS in the file preview/attachment rename logic. The vulnerability allows remote authenticated users to inject arbitrary script or HTML by exploiting file attachment names, with the ability to rename within their board (BoardAdmin...
CVE-2025-65781
Wekan up to v18.15 contains an issue in the Attachment Upload API where the Authorization Bearer value is treated as a userId, causing a non-terminating body-handling path for any non-empty bearer token. This leads to an application-layer DoS and latent identity-spoofing. The vulnerability affect...
CVE-2026-30844
Wekan (versions 8.32 and 8.33) is vulnerable to SSRF via attachment URL loading during board import. User-supplied JSON data contains attachment URLs that are read by the server without URL validation or filtering. The parseActivities() and parseActions() flows extract these URLs and pass them to...
CVE-2026-1892
The CVE-2026-1892 entry concerns WeKan up to 8.20, specifically the REST API component and its boards.js function setBoardOrgs. The vulnerability arises from manipulating arguments item.cardId, item.checklistId, or card.boardId, leading to improper authorization. Exploitation could be performed r...
CVE-2026-25566
The connected documents confirm a concrete vulnerability in WeKan versions prior to 8.19: an authorization flaw in the card move logic allows a user to specify a destination board, list, or swimlane without proper authorization checks and without validating that the destination items belong to th...
CVE-2026-25567
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user’s identifier. Affected software: ...
CVE-2026-1896
WeKan up to version 8.20 is affected by a vulnerability in ComprehensiveBoardMigration (server/migrations/comprehensiveBoardMigration.js) where manipulating the boardId argument leads to improper access controls. The issue is remote in nature. A fix is available in WeKan 8.21, with patch identifi...
CVE-2026-1897
The CVE-2026-1897 entry describes a vulnerability in WeKan up to version 8.20 affecting the Position-History Tracking component, specifically the file server/methods/positionHistory.js. The issue is a missing authorization vulnerability that could allow remote manipulation. The documented remedia...
CVE-2026-25562
CVE-2026-25562 affects WeKan versions prior to 8.19. Multiple connected sources (PT-2026-6925, Red Hat, NVD/NVD-linked entries) describe an information disclosure where attachment metadata can be returned without proper scoping to boards/cards accessible to the user. Root cause: the system does n...
CVE-2026-25859
The CVE-2026-25859 entry concerns Wekan versions prior to 8.20, where insufficient permission checks allow non-administrative users to access the migration functionality, potentially enabling unauthorized migration operations. The Red Hat, NVD, EUVD, OSV, CVE lists and PT Security entries corrobo...
CVE-2026-2207
WeKan up to 8.20 contains a vulnerability in the Activity Publication Handler, specifically in processing of the file server/publications/activities.js. A manipulation of this component can lead to information disclosure and is exploitable remotely. The issue is addressed by upgrading to version ...
CVE-2026-2208
WeKan up to version 8.20 contains a vulnerability in the Rules Handler, specifically an unknown function within server/publications/rules.js that allows missing authorization. The issue can be exploited remotely, enabling an attacker to access without proper authorization. It is mitigated by upda...
CVE-2026-2209
CVE-2026-2209 — WeKan : A vulnerability in WeKan up to 8.18 affects the Custom Translation Handler’s translationBody.js, specifically the setCreateTranslation function. The issue permits improper authorization and can be exploited remotely. Remediation is to upgrade to version 8.19, for which a p...
CVE-2025-65780
CVE-2025-65780 affects Wekan up to version 18.15 (fixed in 18.16). The issue allows an authenticated user to modify their entire user document (including orgs/teams and loginDisabled) due to missing server-side authorization checks, enabling privilege escalation and unauthorized access to other t...
CVE-2026-1894
WeKan up to 8.20 is affected in the REST API component, specifically the file models/checklistItems.js. Manipulating the arguments item.cardId, item.checklistId, or card.boardId can lead to improper authorization and remote exploitation. A fix is available in version 8.21; apply the official patc...
CVE-2026-2206
WeKan up to version 8.20 contains a security flaw in the Administrative Repair Handler’s code, specifically in server/methods/fixDuplicateLists.js. The vulnerability enables improper access controls and can be exploited remotely. Evidence across multiple sources confirms the issue and points to u...
CVE-2026-25565
CVE-2026-25565 affects WeKan versions prior to 8.19. Affected component: card update API paths. Root cause: authorization check only validates board read access, not write permission, enabling users with read-only roles to perform card updates that should require write access. Impact: unauthorize...
CVE-2025-65778
CVE-2025-65778 affects Wekan (The Open Source Kanban Board) up to version 18.15; fixed in 18.16. Vulnerability arises when uploaded attachments are served with attacker-controlled Content-Type (text/html), permitting execution of attacker-supplied HTML/JS within the application's origin and enabl...
CVE-2026-30847
Summary : Wekan versions 8.31.0–8.33 are affected by an insecure publication in the notificationUsers publication, which returns complete user documents with no field filtering. This exposes highly sensitive fields (bcrypt password hashes, active session login tokens, email verification tokens, f...
CVE-2026-1895
CVE-2026-1895 affects WeKan up to version 8.20, specifically the Attachment Storage Handler’s file models/lists.js , function applyWipLimit . The vulnerability arises from a manipulation that can lead to improper access controls and can be exploited remotely. The advisory states that upgrading to...
CVE-2026-1962
CVE-2026-1962 affects WeKan up to 8.20, in the Attachment Migration component (server/attachmentMigration.js). The issue is an improper access control in an unknown function, potentially exploitable remotely. A fix is available: upgrade to WeKan 8.21; patch identifier 053bf1dfb76ef230db162c64a6ed...
CVE-2026-1963
Affected software: WeKan up to 8.20. Vulnerability: Improper access controls in the Attachment Storage component, specifically in the file models/attachments.js. The issue could be exploited remotely and is driven by an unspecified function, enabling access control bypass. Impact: High (as per CV...
CVE-2026-1964
CVE-2026-1964 affects WeKan up to version 8.20, in the REST Endpoint’s models/boards.js, causing improper access controls. The vulnerability enables remote exploitation as described across multiple sources, with upgrade to 8.21 and official patch 545566f5663545d16174e0f2399f231aa693ab6e recommend...
CVE-2026-25560
The CVE-2026-25560 issue affects WeKan versions prior to 8.19, where LDAP authentication uses the user-supplied username in LDAP search filters and DN-related values without proper escaping. This LDAP filter injection can allow an attacker to manipulate LDAP queries during authentication, leading...
CVE-2026-25564
WeKan versions prior to 8.19 are affected by an insecure direct object reference (IDOR) in checklist creation and related routes. The issue arises because the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering by manipulating...
CVE-2026-25568
WeKan versions prior to 8.19 contain an authorization logic vulnerability where allowPrivateOnly is not sufficiently enforced at board creation time. When enablement is active, users can still create public boards due to incomplete server-side enforcement. Affected products/version range: WeKan
CVE-2026-30843
Wekan versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) in custom fields update endpoints, allowing cross-board modification of custom fields. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint validates board access but uses the field’s _id as a fi...
CVE-2026-25561
WeKan versions prior to 8.19 are affected by an authorization weakness in the attachment upload API. The endpoint does not fully validate that identifiers such as boardId, cardId, swimlaneId, and listId consistently refer to a coherent card/board relationship, enabling attachments to be uploaded ...
CVE-2026-30846
Wekan versions 8.31.0–8.33 expose all global webhook integrations (including sensitive URL and token fields) via the globalwebhooks publication without server-side access control. Any DDP client, even unauthenticated, can subscribe and receive the data, enabling an attacker to retrieve webhook UR...
CVE-2025-65779
Wekan up to version 18.15 is affected; fixed in 18.16. An unauthenticated attacker can update a board's sort value because Boards.allow returns true without verifying userId, enabling arbitrary reordering of boards. Affected: Wekan (Open Source Kanban board) prior to 18.16. Impact: potential alte...
CVE-2025-65782
Wekan up to v18.15 is affected by an authorization flaw in card update handling that lets board members or other authenticated users add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. The issue is fixed in v18.16. Affected compone...
CVE-2026-1898
Issue summary: CVE-2026-1898 affects WeKan up to 8.20 in the LDAP User Sync component, specifically the file packages/wekan-ldap/server/syncUser.js. The vulnerability enables improper access controls and can be exploited remotely. Impact (as described): remote attack capable due to access-control...
CVE-2026-25563
CVE-2026-25563 affects WeKan versions prior to 8.19. The issue is an insecure direct object reference (IDOR) in checklist creation and related routes: the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering. Public documents f...
CVE-2026-30845
Wekan (Meteor-based Kanban) is affected in versions 8.31.0–8.33 where the board composite publication does not filter fields, exposing webhook URLs and authentication tokens to any subscriber, including read-only, comment-only, and unauthenticated DDP clients for public boards. This data exposure...