VYPR

Wekan

by Wekan

Source repositories

CVEs (40)

  • CVE-2026-25562Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to…

  • CVE-2026-25561Feb 7, 2026
    risk 0.00cvss epss 0.00

    WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling…

  • CVE-2026-25560Feb 7, 2026
    risk 0.00cvss epss 0.01

    WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during…

  • CVE-2026-1964Feb 5, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix…

  • CVE-2026-1963Feb 5, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates…

  • CVE-2026-1962Feb 5, 2026
    risk 0.00cvss epss 0.00

    A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to…

  • CVE-2026-1898Feb 5, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to…

  • CVE-2026-1897Feb 5, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from…

  • CVE-2026-1896Feb 4, 2026
    risk 0.00cvss epss 0.00

    A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId…

  • CVE-2026-1895Feb 4, 2026
    risk 0.00cvss epss 0.00

    A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version…

  • CVE-2026-1894Feb 4, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote…

  • CVE-2026-1892Feb 4, 2026
    risk 0.00cvss epss 0.00

    A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack…

  • CVE-2025-65781Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial…

  • CVE-2025-65782Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative…

  • CVE-2025-65780Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks;…

  • CVE-2025-65778Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and…

  • CVE-2025-65779Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.

  • CVE-2023-28485Jun 26, 2023
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they…

  • CVE-2023-31779May 22, 2023
    risk 0.00cvss epss 0.01

    Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.

  • CVE-2021-20654Feb 10, 2021
    risk 0.00cvss epss 0.01

    Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site.

Page 2 of 2