Unrated severityNVD Advisory· Published Aug 12, 2025· Updated Aug 12, 2025

Kanboard Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events

CVE-2025-55010

Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

Affected products

Kanboard/Kanboardllm-fuzzy2 versions
<1.2.47+ 1 more
- (no CPE)range: <1.2.47
- (no CPE)range: < 1.2.47

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kanboard/kanboard/blob/b033c0e0f982f8158e240bce8ab54c29727f8efe/app/Formatter/ProjectActivityEventFormatter.phpmitrex_refsource_MISC
github.com/kanboard/kanboard/commit/7148ac092e5db6b33e0fc35e04bca328d96c1f6fmitrex_refsource_MISC
github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64rmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000