Wekan
by Wekan
Source repositories
CVEs (40)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41455 | Hig | 0.48 | 8.5 | 0.00 | Apr 22, 2026 | WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs… | ||
| CVE-2026-41454 | Hig | 0.47 | 8.3 | 0.00 | Apr 22, 2026 | WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs,… | ||
| CVE-2018-1000549 | Med | 0.35 | 5.3 | 0.01 | Jun 26, 2018 | Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable… | ||
| CVE-2026-30847 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data… | |||
| CVE-2026-30846 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although… | |||
| CVE-2026-30845 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to… | |||
| CVE-2026-30844 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without… | |||
| CVE-2026-30843 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading… | |||
| CVE-2026-2209 | 0.00 | — | 0.00 | Feb 8, 2026 | A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can… | |||
| CVE-2026-2208 | 0.00 | — | 0.00 | Feb 8, 2026 | A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version… | |||
| CVE-2026-2207 | 0.00 | — | 0.00 | Feb 8, 2026 | A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the… | |||
| CVE-2026-2206 | 0.00 | — | 0.00 | Feb 8, 2026 | A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to… | |||
| CVE-2026-2205 | 0.00 | — | 0.00 | Feb 8, 2026 | A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version… | |||
| CVE-2026-25859 | 0.00 | — | 0.00 | Feb 7, 2026 | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | |||
| CVE-2026-25568 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete… | |||
| CVE-2026-25567 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | |||
| CVE-2026-25566 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board,… | |||
| CVE-2026-25565 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | |||
| CVE-2026-25564 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating… | |||
| CVE-2026-25563 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating… |
- risk 0.48cvss 8.5epss 0.00
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs…
- risk 0.47cvss 8.3epss 0.00
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs,…
- risk 0.35cvss 5.3epss 0.01
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable…
- CVE-2026-30847Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data…
- CVE-2026-30846Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although…
- CVE-2026-30845Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to…
- CVE-2026-30844Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without…
- CVE-2026-30843Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading…
- CVE-2026-2209Feb 8, 2026risk 0.00cvss —epss 0.00
A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can…
- CVE-2026-2208Feb 8, 2026risk 0.00cvss —epss 0.00
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version…
- CVE-2026-2207Feb 8, 2026risk 0.00cvss —epss 0.00
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the…
- CVE-2026-2206Feb 8, 2026risk 0.00cvss —epss 0.00
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to…
- CVE-2026-2205Feb 8, 2026risk 0.00cvss —epss 0.00
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version…
- CVE-2026-25859Feb 7, 2026risk 0.00cvss —epss 0.00
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
- CVE-2026-25568Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete…
- CVE-2026-25567Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
- CVE-2026-25566Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board,…
- CVE-2026-25565Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
- CVE-2026-25564Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…
- CVE-2026-25563Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…
Page 1 of 2