Lucene search
K
Wekan ProjectWekan

39 matches found

CVE
CVE
added 2023/05/22 12:0 a.m.60 views

CVE-2023-31779

Wekan v6.84 and earlier is vulnerable to Cross‑Site Scripting (XSS) via the "Reaction to comment" feature. A user with board privileges can inject JavaScript in responses to comments, with the exploit scenario noting potential token theft (e.g., Meteor.loginToken) and page content changes for phi...

5.4CVSS5.4AI score0.0056EPSS
CVE
CVE
added 2026/02/08 1:9 a.m.60 views

CVE-2026-2205

WeKan up to 8.20 is affected in the Meteor Publication Handler component, specifically the file server/publications/cards.js, allowing information disclosure via a remote attack. The public descriptions indicate upgrading to version 8.21 mitigates the issue and reference the patch 0f5a9c38778ca55...

5.3CVSS4.8AI score0.00235EPSS
CVE
CVE
added 2021/01/26 8:13 p.m.57 views

CVE-2021-3309

CVE-2021-3309 affects the Wekan LDAP integration: the module at packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections that are not authorized by the Certification Authority trust store, due to improper CA trust verification. This vulnerability could impact confidentialit...

8.1CVSS8AI score0.01696EPSS
CVE
CVE
added 2021/02/10 8:50 a.m.52 views

CVE-2021-20654

Wekan (versions 3.12–4.11) is vulnerable to multiple stored cross-site scripting (Fieldbleed). Root cause cited as improper validation of client-side data leading to CWE-79. Impact: a logged-in user can store malicious input that executes JavaScript in other users’ browsers. Remediation: update t...

5.4CVSS5.1AI score0.00751EPSS
CVE
CVE
added 2018/06/26 4:0 p.m.47 views

CVE-2018-1000549

CVE-2018-1000549 concerns Wekan, v1.04.0, which has an email/username enumeration flaw on the Register and Forgot Password pages. The underlying issue allows a remote attacker to perform a brute-force-style harvest to obtain valid usernames and email addresses, with the attack exploitable over HT...

5.3CVSS5.2AI score0.01301EPSS
CVE
CVE
added 2023/06/26 12:0 a.m.41 views

CVE-2023-28485

CVE-2023-28485 affects WeKan prior to 6.75, stemming from a Stored XSS in the file preview/attachment rename logic. The vulnerability allows remote authenticated users to inject arbitrary script or HTML by exploiting file attachment names, with the ability to rename within their board (BoardAdmin...

5.4CVSS4.9AI score0.00965EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.28 views

CVE-2025-65781

Wekan up to v18.15 contains an issue in the Attachment Upload API where the Authorization Bearer value is treated as a userId, causing a non-terminating body-handling path for any non-empty bearer token. This leads to an application-layer DoS and latent identity-spoofing. The vulnerability affect...

8.2CVSS6.6AI score0.00299EPSS
CVE
CVE
added 2026/03/06 7:33 p.m.23 views

CVE-2026-30844

Wekan (versions 8.32 and 8.33) is vulnerable to SSRF via attachment URL loading during board import. User-supplied JSON data contains attachment URLs that are read by the server without URL validation or filtering. The parseActivities() and parseActions() flows extract these URLs and pass them to...

9.3CVSS5.8AI score0.00235EPSS
CVE
CVE
added 2026/02/04 10:2 p.m.21 views

CVE-2026-1892

The CVE-2026-1892 entry concerns WeKan up to 8.20, specifically the REST API component and its boards.js function setBoardOrgs. The vulnerability arises from manipulating arguments item.cardId, item.checklistId, or card.boardId, leading to improper authorization. Exploitation could be performed r...

5CVSS4.8AI score0.00241EPSS
CVE
CVE
added 2026/02/07 9:58 p.m.21 views

CVE-2026-25566

The connected documents confirm a concrete vulnerability in WeKan versions prior to 8.19: an authorization flaw in the card move logic allows a user to specify a destination board, list, or swimlane without proper authorization checks and without validating that the destination items belong to th...

7.1CVSS5.4AI score0.00222EPSS
CVE
CVE
added 2026/02/07 9:58 p.m.21 views

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user’s identifier. Affected software: ...

5.3CVSS5.4AI score0.00246EPSS
CVE
CVE
added 2026/02/04 11:32 p.m.20 views

CVE-2026-1896

WeKan up to version 8.20 is affected by a vulnerability in ComprehensiveBoardMigration (server/migrations/comprehensiveBoardMigration.js) where manipulating the boardId argument leads to improper access controls. The issue is remote in nature. A fix is available in WeKan 8.21, with patch identifi...

6.5CVSS6AI score0.00276EPSS
CVE
CVE
added 2026/02/05 12:2 a.m.19 views

CVE-2026-1897

The CVE-2026-1897 entry describes a vulnerability in WeKan up to version 8.20 affecting the Position-History Tracking component, specifically the file server/methods/positionHistory.js. The issue is a missing authorization vulnerability that could allow remote manipulation. The documented remedia...

5.3CVSS4.7AI score0.003EPSS
CVE
CVE
added 2026/02/07 9:57 p.m.19 views

CVE-2026-25562

CVE-2026-25562 affects WeKan versions prior to 8.19. Multiple connected sources (PT-2026-6925, Red Hat, NVD/NVD-linked entries) describe an information disclosure where attachment metadata can be returned without proper scoping to boards/cards accessible to the user. Root cause: the system does n...

5.3CVSS5.4AI score0.00287EPSS
CVE
CVE
added 2026/02/07 9:59 p.m.19 views

CVE-2026-25859

The CVE-2026-25859 entry concerns Wekan versions prior to 8.20, where insufficient permission checks allow non-administrative users to access the migration functionality, potentially enabling unauthorized migration operations. The Red Hat, NVD, EUVD, OSV, CVE lists and PT Security entries corrobo...

8.8CVSS5.3AI score0.00343EPSS
CVE
CVE
added 2026/02/08 1:9 a.m.18 views

CVE-2026-2207

WeKan up to 8.20 contains a vulnerability in the Activity Publication Handler, specifically in processing of the file server/publications/activities.js. A manipulation of this component can lead to information disclosure and is exploitable remotely. The issue is addressed by upgrading to version ...

6.9CVSS5.4AI score0.00342EPSS
CVE
CVE
added 2026/02/08 1:9 a.m.18 views

CVE-2026-2208

WeKan up to version 8.20 contains a vulnerability in the Rules Handler, specifically an unknown function within server/publications/rules.js that allows missing authorization. The issue can be exploited remotely, enabling an attacker to access without proper authorization. It is mitigated by upda...

6.5CVSS4.6AI score0.00244EPSS
CVE
CVE
added 2026/02/08 1:14 a.m.18 views

CVE-2026-2209

CVE-2026-2209 — WeKan : A vulnerability in WeKan up to 8.18 affects the Custom Translation Handler’s translationBody.js, specifically the setCreateTranslation function. The issue permits improper authorization and can be exploited remotely. Remediation is to upgrade to version 8.19, for which a p...

6.5CVSS6AI score0.00188EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.17 views

CVE-2025-65780

CVE-2025-65780 affects Wekan up to version 18.15 (fixed in 18.16). The issue allows an authenticated user to modify their entire user document (including orgs/teams and loginDisabled) due to missing server-side authorization checks, enabling privilege escalation and unauthorized access to other t...

8.8CVSS6.8AI score0.00294EPSS
CVE
CVE
added 2026/02/04 10:32 p.m.17 views

CVE-2026-1894

WeKan up to 8.20 is affected in the REST API component, specifically the file models/checklistItems.js. Manipulating the arguments item.cardId, item.checklistId, or card.boardId can lead to improper authorization and remote exploitation. A fix is available in version 8.21; apply the official patc...

6.5CVSS5AI score0.00236EPSS
CVE
CVE
added 2026/02/08 1:9 a.m.17 views

CVE-2026-2206

WeKan up to version 8.20 contains a security flaw in the Administrative Repair Handler’s code, specifically in server/methods/fixDuplicateLists.js. The vulnerability enables improper access controls and can be exploited remotely. Evidence across multiple sources confirms the issue and points to u...

8.8CVSS6.2AI score0.00239EPSS
CVE
CVE
added 2026/02/07 9:58 p.m.17 views

CVE-2026-25565

CVE-2026-25565 affects WeKan versions prior to 8.19. Affected component: card update API paths. Root cause: authorization check only validates board read access, not write permission, enabling users with read-only roles to perform card updates that should require write access. Impact: unauthorize...

7.1CVSS5.3AI score0.00277EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.16 views

CVE-2025-65778

CVE-2025-65778 affects Wekan (The Open Source Kanban Board) up to version 18.15; fixed in 18.16. Vulnerability arises when uploaded attachments are served with attacker-controlled Content-Type (text/html), permitting execution of attacker-supplied HTML/JS within the application's origin and enabl...

8.1CVSS6.7AI score0.00323EPSS
CVE
CVE
added 2026/03/06 7:37 p.m.16 views

CVE-2026-30847

Summary : Wekan versions 8.31.0–8.33 are affected by an insecure publication in the notificationUsers publication, which returns complete user documents with no field filtering. This exposes highly sensitive fields (bcrypt password hashes, active session login tokens, email verification tokens, f...

9.3CVSS5.7AI score0.00235EPSS
CVE
CVE
added 2026/02/04 11:2 p.m.15 views

CVE-2026-1895

CVE-2026-1895 affects WeKan up to version 8.20, specifically the Attachment Storage Handler’s file models/lists.js , function applyWipLimit . The vulnerability arises from a manipulation that can lead to improper access controls and can be exploited remotely. The advisory states that upgrading to...

6.5CVSS5AI score0.00276EPSS
CVE
CVE
added 2026/02/05 8:32 p.m.15 views

CVE-2026-1962

CVE-2026-1962 affects WeKan up to 8.20, in the Attachment Migration component (server/attachmentMigration.js). The issue is an improper access control in an unknown function, potentially exploitable remotely. A fix is available: upgrade to WeKan 8.21; patch identifier 053bf1dfb76ef230db162c64a6ed...

9.8CVSS4.8AI score0.00323EPSS
CVE
CVE
added 2026/02/05 9:2 p.m.15 views

CVE-2026-1963

Affected software: WeKan up to 8.20. Vulnerability: Improper access controls in the Attachment Storage component, specifically in the file models/attachments.js. The issue could be exploited remotely and is driven by an unspecified function, enabling access control bypass. Impact: High (as per CV...

9.8CVSS4.9AI score0.00323EPSS
CVE
CVE
added 2026/02/05 9:32 p.m.15 views

CVE-2026-1964

CVE-2026-1964 affects WeKan up to version 8.20, in the REST Endpoint’s models/boards.js, causing improper access controls. The vulnerability enables remote exploitation as described across multiple sources, with upgrade to 8.21 and official patch 545566f5663545d16174e0f2399f231aa693ab6e recommend...

5.3CVSS5AI score0.00218EPSS
CVE
CVE
added 2026/02/07 9:56 p.m.14 views

CVE-2026-25560

The CVE-2026-25560 issue affects WeKan versions prior to 8.19, where LDAP authentication uses the user-supplied username in LDAP search filters and DN-related values without proper escaping. This LDAP filter injection can allow an attacker to manipulate LDAP queries during authentication, leading...

9.8CVSS5.5AI score0.00654EPSS
CVE
CVE
added 2026/02/07 9:57 p.m.14 views

CVE-2026-25564

WeKan versions prior to 8.19 are affected by an insecure direct object reference (IDOR) in checklist creation and related routes. The issue arises because the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering by manipulating...

7.5CVSS5.4AI score0.0028EPSS
CVE
CVE
added 2026/02/07 9:59 p.m.14 views

CVE-2026-25568

WeKan versions prior to 8.19 contain an authorization logic vulnerability where allowPrivateOnly is not sufficiently enforced at board creation time. When enablement is active, users can still create public boards due to incomplete server-side enforcement. Affected products/version range: WeKan

7.1CVSS5.4AI score0.0019EPSS
CVE
CVE
added 2026/03/06 7:30 p.m.14 views

CVE-2026-30843

Wekan versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) in custom fields update endpoints, allowing cross-board modification of custom fields. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint validates board access but uses the field’s _id as a fi...

9.3CVSS5.8AI score0.00218EPSS
Web
CVE
CVE
added 2026/02/07 9:56 p.m.13 views

CVE-2026-25561

WeKan versions prior to 8.19 are affected by an authorization weakness in the attachment upload API. The endpoint does not fully validate that identifiers such as boardId, cardId, swimlaneId, and listId consistently refer to a coherent card/board relationship, enabling attachments to be uploaded ...

7.5CVSS5.4AI score0.0028EPSS
CVE
CVE
added 2026/03/06 7:35 p.m.13 views

CVE-2026-30846

Wekan versions 8.31.0–8.33 expose all global webhook integrations (including sensitive URL and token fields) via the globalwebhooks publication without server-side access control. Any DDP client, even unauthenticated, can subscribe and receive the data, enabling an attacker to retrieve webhook UR...

8.7CVSS5.7AI score0.00345EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.12 views

CVE-2025-65779

Wekan up to version 18.15 is affected; fixed in 18.16. An unauthenticated attacker can update a board's sort value because Boards.allow returns true without verifying userId, enabling arbitrary reordering of boards. Affected: Wekan (Open Source Kanban board) prior to 18.16. Impact: potential alte...

7.5CVSS6.7AI score0.00274EPSS
CVE
CVE
added 2025/12/15 12:0 a.m.12 views

CVE-2025-65782

Wekan up to v18.15 is affected by an authorization flaw in card update handling that lets board members or other authenticated users add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. The issue is fixed in v18.16. Affected compone...

6.5CVSS6.6AI score0.00229EPSS
CVE
CVE
added 2026/02/05 12:32 a.m.12 views

CVE-2026-1898

Issue summary: CVE-2026-1898 affects WeKan up to 8.20 in the LDAP User Sync component, specifically the file packages/wekan-ldap/server/syncUser.js. The vulnerability enables improper access controls and can be exploited remotely. Impact (as described): remote attack capable due to access-control...

6.5CVSS6.2AI score0.00266EPSS
CVE
CVE
added 2026/02/07 9:57 p.m.12 views

CVE-2026-25563

CVE-2026-25563 affects WeKan versions prior to 8.19. The issue is an insecure direct object reference (IDOR) in checklist creation and related routes: the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering. Public documents f...

7.5CVSS5.4AI score0.0028EPSS
CVE
CVE
added 2026/03/06 7:34 p.m.12 views

CVE-2026-30845

Wekan (Meteor-based Kanban) is affected in versions 8.31.0–8.33 where the board composite publication does not filter fields, exposing webhook URLs and authentication tokens to any subscriber, including read-only, comment-only, and unauthenticated DDP clients for public boards. This data exposure...

8.2CVSS5.7AI score0.00291EPSS