VYPR

Wekan

by Wekan

Source repositories

CVEs (40)

  • CVE-2026-41455HigApr 22, 2026
    risk 0.48cvss 8.5epss 0.00

    WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs…

  • CVE-2026-41454HigApr 22, 2026
    risk 0.47cvss 8.3epss 0.00

    WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs,…

  • CVE-2018-1000549MedJun 26, 2018
    risk 0.35cvss 5.3epss 0.01

    Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable…

  • CVE-2026-30847Mar 6, 2026
    risk 0.00cvss epss 0.00

    Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data…

  • CVE-2026-30846Mar 6, 2026
    risk 0.00cvss epss 0.00

    Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although…

  • CVE-2026-30845Mar 6, 2026
    risk 0.00cvss epss 0.00

    Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to…

  • CVE-2026-30844Mar 6, 2026
    risk 0.00cvss epss 0.00

    Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without…

  • CVE-2026-30843Mar 6, 2026
    risk 0.00cvss epss 0.00

    Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading…

  • CVE-2026-2209Feb 8, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can…

  • CVE-2026-2208Feb 8, 2026
    risk 0.00cvss epss 0.00

    A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version…

  • CVE-2026-2207Feb 8, 2026
    risk 0.00cvss epss 0.00

    A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the…

  • CVE-2026-2206Feb 8, 2026
    risk 0.00cvss epss 0.00

    A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to…

  • CVE-2026-2205Feb 8, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version…

  • CVE-2026-25859Feb 7, 2026
    risk 0.00cvss epss 0.00

    Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

  • CVE-2026-25568Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete…

  • CVE-2026-25567Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

  • CVE-2026-25566Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board,…

  • CVE-2026-25565Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

  • CVE-2026-25564Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…

  • CVE-2026-25563Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…

Page 1 of 2