Vendor CVEs
Kanboard
All CVEs
49 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12851 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2017 | An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46. | ||
| CVE-2017-12850 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2017 | An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46. | ||
| CVE-2017-15212 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user. | ||
| CVE-2017-15211 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | ||
| CVE-2017-15210 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user. | ||
| CVE-2017-15209 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. | ||
| CVE-2017-15208 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. | ||
| CVE-2017-15207 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | ||
| CVE-2017-15206 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. | ||
| CVE-2017-15205 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user. | ||
| CVE-2017-15204 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. | ||
| CVE-2017-15203 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | ||
| CVE-2017-15202 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user. | ||
| CVE-2017-15201 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. | ||
| CVE-2017-15200 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user. | ||
| CVE-2017-15199 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description. | ||
| CVE-2017-15198 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user. | ||
| CVE-2017-15197 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. | ||
| CVE-2017-15196 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user. | ||
| CVE-2017-15195 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user. | ||
| CVE-2026-56774 | 0.00 | — | 0.00 | Jun 26, 2026 | Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate… | |||
| CVE-2026-33058 | 0.00 | — | 0.00 | Mar 18, 2026 | Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard… | |||
| CVE-2026-29056 | 0.00 | — | 0.00 | Mar 18, 2026 | Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field.… | |||
| CVE-2026-25531 | 0.00 | — | 0.00 | Feb 13, 2026 | Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to… | |||
| CVE-2026-25924 | 0.00 | — | 0.00 | Feb 11, 2026 | Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin… | |||
| CVE-2026-25530 | 0.00 | — | 0.00 | Feb 10, 2026 | Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50. | |||
| CVE-2026-24885 | 0.00 | — | 0.00 | Feb 10, 2026 | Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json… | |||
| CVE-2026-21881 | 0.00 | — | 0.00 | Jan 8, 2026 | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the… | |||
| CVE-2026-21880 | 0.00 | — | 0.00 | Jan 8, 2026 | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing… | |||
| CVE-2026-21879 | 0.00 | — | 0.00 | Jan 8, 2026 | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers… | |||
| CVE-2025-55010 | 0.00 | — | 0.01 | Aug 12, 2025 | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"]… | |||
| CVE-2025-55011 | 0.00 | — | 0.00 | Aug 12, 2025 | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor… | |||
| CVE-2025-52576 | 0.00 | — | 0.00 | Jun 25, 2025 | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker… | |||
| CVE-2025-52560 | 0.00 | — | 0.00 | Jun 24, 2025 | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This… | |||
| CVE-2025-46825 | 0.00 | — | 0.00 | May 12, 2025 | Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the `name` parameter of the `http://localhost/?controller=ProjectCreationController&action=create` form. This… | |||
| CVE-2024-55603 | 0.00 | — | 0.00 | Dec 18, 2024 | Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data… | |||
| CVE-2024-54001 | 0.00 | — | 0.00 | Dec 5, 2024 | Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user… | |||
| CVE-2024-51747 | 0.00 | — | 0.01 | Nov 11, 2024 | Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its `path` entry in the… | |||
| CVE-2024-51748 | 0.00 | — | 0.01 | Nov 11, 2024 | Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting… | |||
| CVE-2024-36399 | 0.00 | — | 0.00 | Jun 6, 2024 | Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is… | |||
| CVE-2024-22720 | 0.00 | — | 0.00 | Jan 24, 2024 | Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature. | |||
| CVE-2023-36813 | 0.00 | — | 0.01 | Jul 5, 2023 | Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations,… | |||
| CVE-2023-33969 | 0.00 | — | 0.01 | Jun 5, 2023 | Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack.… | |||
| CVE-2023-33970 | 0.00 | — | 0.01 | Jun 5, 2023 | Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they… | |||
| CVE-2023-33968 | 0.00 | — | 0.00 | Jun 5, 2023 | Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even… | |||
| CVE-2023-33956 | 0.00 | — | 0.01 | Jun 5, 2023 | Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read… | |||
| CVE-2023-32685 | 0.00 | — | 0.01 | May 30, 2023 | Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission… | |||
| CVE-2019-7324 | 0.00 | — | 0.01 | Feb 4, 2019 | app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting. | |||
| CVE-2014-3920 | 0.00 | — | 0.01 | Jul 3, 2014 | Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI. |
- risk 0.57cvss 8.8epss 0.01
An authenticated standard user could reset the password of the admin by altering form data. Affects kanboard before 1.0.46.
- risk 0.57cvss 8.8epss 0.01
An authenticated standard user could reset the password of other users (including the admin) by altering form data. Affects kanboard before 1.0.46.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
- CVE-2026-56774Jun 26, 2026risk 0.00cvss —epss 0.00
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate…
- CVE-2026-33058Mar 18, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard…
- CVE-2026-29056Mar 18, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field.…
- CVE-2026-25531Feb 13, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to…
- CVE-2026-25924Feb 11, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin…
- CVE-2026-25530Feb 10, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50.
- CVE-2026-24885Feb 10, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json…
- CVE-2026-21881Jan 8, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the…
- CVE-2026-21880Jan 8, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing…
- CVE-2026-21879Jan 8, 2026risk 0.00cvss —epss 0.00
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers…
- CVE-2025-55010Aug 12, 2025risk 0.00cvss —epss 0.01
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"]…
- CVE-2025-55011Aug 12, 2025risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor…
- CVE-2025-52576Jun 25, 2025risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker…
- CVE-2025-52560Jun 24, 2025risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This…
- CVE-2025-46825May 12, 2025risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. Versions 1.2.26 through 1.2.44 have a Stored Cross-Site Scripting (XSS) Vulnerability in the `name` parameter of the `http://localhost/?controller=ProjectCreationController&action=create` form. This…
- CVE-2024-55603Dec 18, 2024risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data…
- CVE-2024-54001Dec 5, 2024risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields application_language, application_date_format,application_timezone and application_time_format allow arbirary user…
- CVE-2024-51747Nov 11, 2024risk 0.00cvss —epss 0.01
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its `path` entry in the…
- CVE-2024-51748Nov 11, 2024risk 0.00cvss —epss 0.01
Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting…
- CVE-2024-36399Jun 6, 2024risk 0.00cvss —epss 0.00
Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is…
- CVE-2024-22720Jan 24, 2024risk 0.00cvss —epss 0.00
Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature.
- CVE-2023-36813Jul 5, 2023risk 0.00cvss —epss 0.01
Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations,…
- CVE-2023-33969Jun 5, 2023risk 0.00cvss —epss 0.01
Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack.…
- CVE-2023-33970Jun 5, 2023risk 0.00cvss —epss 0.01
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a `missing access control` was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they…
- CVE-2023-33968Jun 5, 2023risk 0.00cvss —epss 0.00
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to a missing access control vulnerability that allows a user with low privileges to create or transfer tasks to any project within the software, even…
- CVE-2023-33956Jun 5, 2023risk 0.00cvss —epss 0.01
Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference (IDOR) vulnerability present in the application's URL parameter. This vulnerability enables any user to read…
- CVE-2023-32685May 30, 2023risk 0.00cvss —epss 0.01
Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission…
- CVE-2019-7324Feb 4, 2019risk 0.00cvss —epss 0.01
app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.
- CVE-2014-3920Jul 3, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.