VYPR
Unrated severityNVD Advisory· Published Feb 7, 2026· Updated Mar 5, 2026

WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

CVE-2026-25567

Description

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Wekan/Wekanllm-fuzzy2 versions
    <8.19+ 1 more
    • (no CPE)range: <8.19
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.