Unrated severityNVD Advisory· Published Aug 12, 2025· Updated Aug 12, 2025

Kanboard Path Traversal in File Write via Task File Upload Api

CVE-2025-55011

Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47.

Affected products

Kanboard/Kanboardllm-fuzzy2 versions
<1.2.47+ 1 more
- (no CPE)range: <1.2.47
- (no CPE)range: < 1.2.47

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kanboard/kanboard/blob/b2e35ac520add67cff792aab960b3c002c48e3d0/app/Api/Procedure/TaskFileProcedure.phpmitrex_refsource_MISC
github.com/kanboard/kanboard/commit/523a6135e944b6884c091a3fd7605af8ef133681mitrex_refsource_MISC
github.com/kanboard/kanboard/security/advisories/GHSA-26f4-rx96-xc55mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000