30 matches found
CVE-2026-2205
WeKan up to 8.20 is affected in the Meteor Publication Handler component, specifically the file server/publications/cards.js, allowing information disclosure via a remote attack. The public descriptions indicate upgrading to version 8.21 mitigates the issue and reference the patch 0f5a9c38778ca55...
CVE-2021-3309
CVE-2021-3309 affects the Wekan LDAP integration: the module at packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections that are not authorized by the Certification Authority trust store, due to improper CA trust verification. This vulnerability could impact confidentialit...
CVE-2023-28485
CVE-2023-28485 affects WeKan prior to 6.75, stemming from a Stored XSS in the file preview/attachment rename logic. The vulnerability allows remote authenticated users to inject arbitrary script or HTML by exploiting file attachment names, with the ability to rename within their board (BoardAdmin...
CVE-2025-65781
Wekan up to v18.15 contains an issue in the Attachment Upload API where the Authorization Bearer value is treated as a userId, causing a non-terminating body-handling path for any non-empty bearer token. This leads to an application-layer DoS and latent identity-spoofing. The vulnerability affect...
CVE-2026-25859
The CVE-2026-25859 entry concerns Wekan versions prior to 8.20, where insufficient permission checks allow non-administrative users to access the migration functionality, potentially enabling unauthorized migration operations. The Red Hat, NVD, EUVD, OSV, CVE lists and PT Security entries corrobo...
CVE-2026-1892
The CVE-2026-1892 entry concerns WeKan up to 8.20, specifically the REST API component and its boards.js function setBoardOrgs. The vulnerability arises from manipulating arguments item.cardId, item.checklistId, or card.boardId, leading to improper authorization. Exploitation could be performed r...
CVE-2026-1896
WeKan up to version 8.20 is affected by a vulnerability in ComprehensiveBoardMigration (server/migrations/comprehensiveBoardMigration.js) where manipulating the boardId argument leads to improper access controls. The issue is remote in nature. A fix is available in WeKan 8.21, with patch identifi...
CVE-2026-2207
WeKan up to 8.20 contains a vulnerability in the Activity Publication Handler, specifically in processing of the file server/publications/activities.js. A manipulation of this component can lead to information disclosure and is exploitable remotely. The issue is addressed by upgrading to version ...
CVE-2026-25567
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user’s identifier. Affected software: ...
CVE-2026-25562
CVE-2026-25562 affects WeKan versions prior to 8.19. Multiple connected sources (PT-2026-6925, Red Hat, NVD/NVD-linked entries) describe an information disclosure where attachment metadata can be returned without proper scoping to boards/cards accessible to the user. Root cause: the system does n...
CVE-2026-25566
The connected documents confirm a concrete vulnerability in WeKan versions prior to 8.19: an authorization flaw in the card move logic allows a user to specify a destination board, list, or swimlane without proper authorization checks and without validating that the destination items belong to th...
CVE-2026-1897
The CVE-2026-1897 entry describes a vulnerability in WeKan up to version 8.20 affecting the Position-History Tracking component, specifically the file server/methods/positionHistory.js. The issue is a missing authorization vulnerability that could allow remote manipulation. The documented remedia...
CVE-2026-2208
WeKan up to version 8.20 contains a vulnerability in the Rules Handler, specifically an unknown function within server/publications/rules.js that allows missing authorization. The issue can be exploited remotely, enabling an attacker to access without proper authorization. It is mitigated by upda...
CVE-2026-2209
CVE-2026-2209 — WeKan : A vulnerability in WeKan up to 8.18 affects the Custom Translation Handler’s translationBody.js, specifically the setCreateTranslation function. The issue permits improper authorization and can be exploited remotely. Remediation is to upgrade to version 8.19, for which a p...
CVE-2025-65778
CVE-2025-65778 affects Wekan (The Open Source Kanban Board) up to version 18.15; fixed in 18.16. Vulnerability arises when uploaded attachments are served with attacker-controlled Content-Type (text/html), permitting execution of attacker-supplied HTML/JS within the application's origin and enabl...
CVE-2026-1894
WeKan up to 8.20 is affected in the REST API component, specifically the file models/checklistItems.js. Manipulating the arguments item.cardId, item.checklistId, or card.boardId can lead to improper authorization and remote exploitation. A fix is available in version 8.21; apply the official patc...
CVE-2026-25565
CVE-2026-25565 affects WeKan versions prior to 8.19. Affected component: card update API paths. Root cause: authorization check only validates board read access, not write permission, enabling users with read-only roles to perform card updates that should require write access. Impact: unauthorize...
CVE-2025-65780
CVE-2025-65780 affects Wekan up to version 18.15 (fixed in 18.16). The issue allows an authenticated user to modify their entire user document (including orgs/teams and loginDisabled) due to missing server-side authorization checks, enabling privilege escalation and unauthorized access to other t...
CVE-2026-1895
CVE-2026-1895 affects WeKan up to version 8.20, specifically the Attachment Storage Handler’s file models/lists.js , function applyWipLimit . The vulnerability arises from a manipulation that can lead to improper access controls and can be exploited remotely. The advisory states that upgrading to...
CVE-2026-1963
Affected software: WeKan up to 8.20. Vulnerability: Improper access controls in the Attachment Storage component, specifically in the file models/attachments.js. The issue could be exploited remotely and is driven by an unspecified function, enabling access control bypass. Impact: High (as per CV...
CVE-2026-1964
CVE-2026-1964 affects WeKan up to version 8.20, in the REST Endpoint’s models/boards.js, causing improper access controls. The vulnerability enables remote exploitation as described across multiple sources, with upgrade to 8.21 and official patch 545566f5663545d16174e0f2399f231aa693ab6e recommend...
CVE-2026-2206
WeKan up to version 8.20 contains a security flaw in the Administrative Repair Handler’s code, specifically in server/methods/fixDuplicateLists.js. The vulnerability enables improper access controls and can be exploited remotely. Evidence across multiple sources confirms the issue and points to u...
CVE-2026-1962
CVE-2026-1962 affects WeKan up to 8.20, in the Attachment Migration component (server/attachmentMigration.js). The issue is an improper access control in an unknown function, potentially exploitable remotely. A fix is available: upgrade to WeKan 8.21; patch identifier 053bf1dfb76ef230db162c64a6ed...
CVE-2026-25561
WeKan versions prior to 8.19 are affected by an authorization weakness in the attachment upload API. The endpoint does not fully validate that identifiers such as boardId, cardId, swimlaneId, and listId consistently refer to a coherent card/board relationship, enabling attachments to be uploaded ...
CVE-2026-25568
WeKan versions prior to 8.19 contain an authorization logic vulnerability where allowPrivateOnly is not sufficiently enforced at board creation time. When enablement is active, users can still create public boards due to incomplete server-side enforcement. Affected products/version range: WeKan
CVE-2026-1898
Issue summary: CVE-2026-1898 affects WeKan up to 8.20 in the LDAP User Sync component, specifically the file packages/wekan-ldap/server/syncUser.js. The vulnerability enables improper access controls and can be exploited remotely. Impact (as described): remote attack capable due to access-control...
CVE-2026-25560
The CVE-2026-25560 issue affects WeKan versions prior to 8.19, where LDAP authentication uses the user-supplied username in LDAP search filters and DN-related values without proper escaping. This LDAP filter injection can allow an attacker to manipulate LDAP queries during authentication, leading...
CVE-2026-25563
CVE-2026-25563 affects WeKan versions prior to 8.19. The issue is an insecure direct object reference (IDOR) in checklist creation and related routes: the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering. Public documents f...
CVE-2026-25564
WeKan versions prior to 8.19 are affected by an insecure direct object reference (IDOR) in checklist creation and related routes. The issue arises because the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering by manipulating...
CVE-2025-65779
Wekan up to version 18.15 is affected; fixed in 18.16. An unauthenticated attacker can update a board's sort value because Boards.allow returns true without verifying userId, enabling arbitrary reordering of boards. Affected: Wekan (Open Source Kanban board) prior to 18.16. Impact: potential alte...