Vendor CVEs
Wekan
All CVEs
40 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41455 | Hig | 0.48 | 8.5 | 0.00 | Apr 22, 2026 | WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs… | ||
| CVE-2026-41454 | Hig | 0.47 | 8.3 | 0.00 | Apr 22, 2026 | WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs,… | ||
| CVE-2018-1000549 | Med | 0.35 | 5.3 | 0.01 | Jun 26, 2018 | Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable… | ||
| CVE-2026-30847 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data… | |||
| CVE-2026-30846 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although… | |||
| CVE-2026-30845 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to… | |||
| CVE-2026-30844 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without… | |||
| CVE-2026-30843 | 0.00 | — | 0.00 | Mar 6, 2026 | Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading… | |||
| CVE-2026-2209 | 0.00 | — | 0.00 | Feb 8, 2026 | A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can… | |||
| CVE-2026-2208 | 0.00 | — | 0.00 | Feb 8, 2026 | A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version… | |||
| CVE-2026-2207 | 0.00 | — | 0.00 | Feb 8, 2026 | A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the… | |||
| CVE-2026-2206 | 0.00 | — | 0.00 | Feb 8, 2026 | A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to… | |||
| CVE-2026-2205 | 0.00 | — | 0.00 | Feb 8, 2026 | A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version… | |||
| CVE-2026-25859 | 0.00 | — | 0.00 | Feb 7, 2026 | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | |||
| CVE-2026-25568 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete… | |||
| CVE-2026-25567 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. | |||
| CVE-2026-25566 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board,… | |||
| CVE-2026-25565 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | |||
| CVE-2026-25564 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating… | |||
| CVE-2026-25563 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating… | |||
| CVE-2026-25562 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to… | |||
| CVE-2026-25561 | 0.00 | — | 0.00 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling… | |||
| CVE-2026-25560 | 0.00 | — | 0.01 | Feb 7, 2026 | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during… | |||
| CVE-2026-1964 | 0.00 | — | 0.00 | Feb 5, 2026 | A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix… | |||
| CVE-2026-1963 | 0.00 | — | 0.00 | Feb 5, 2026 | A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates… | |||
| CVE-2026-1962 | 0.00 | — | 0.00 | Feb 5, 2026 | A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to… | |||
| CVE-2026-1898 | 0.00 | — | 0.00 | Feb 5, 2026 | A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to… | |||
| CVE-2026-1897 | 0.00 | — | 0.00 | Feb 5, 2026 | A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from… | |||
| CVE-2026-1896 | 0.00 | — | 0.00 | Feb 4, 2026 | A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId… | |||
| CVE-2026-1895 | 0.00 | — | 0.00 | Feb 4, 2026 | A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version… | |||
| CVE-2026-1894 | 0.00 | — | 0.00 | Feb 4, 2026 | A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote… | |||
| CVE-2026-1892 | 0.00 | — | 0.00 | Feb 4, 2026 | A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack… | |||
| CVE-2025-65781 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial… | |||
| CVE-2025-65779 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards. | |||
| CVE-2025-65782 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative… | |||
| CVE-2025-65778 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and… | |||
| CVE-2025-65780 | 0.00 | — | 0.00 | Dec 15, 2025 | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks;… | |||
| CVE-2023-28485 | 0.00 | — | 0.01 | Jun 26, 2023 | A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they… | |||
| CVE-2023-31779 | 0.00 | — | 0.01 | May 22, 2023 | Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature. | |||
| CVE-2021-20654 | 0.00 | — | 0.01 | Feb 10, 2021 | Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site. |
- risk 0.48cvss 8.5epss 0.00
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs…
- risk 0.47cvss 8.3epss 0.00
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs,…
- risk 0.35cvss 5.3epss 0.01
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable…
- CVE-2026-30847Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data…
- CVE-2026-30846Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although…
- CVE-2026-30845Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to…
- CVE-2026-30844Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without…
- CVE-2026-30843Mar 6, 2026risk 0.00cvss —epss 0.00
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading…
- CVE-2026-2209Feb 8, 2026risk 0.00cvss —epss 0.00
A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can…
- CVE-2026-2208Feb 8, 2026risk 0.00cvss —epss 0.00
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version…
- CVE-2026-2207Feb 8, 2026risk 0.00cvss —epss 0.00
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the…
- CVE-2026-2206Feb 8, 2026risk 0.00cvss —epss 0.00
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to…
- CVE-2026-2205Feb 8, 2026risk 0.00cvss —epss 0.00
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version…
- CVE-2026-25859Feb 7, 2026risk 0.00cvss —epss 0.00
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
- CVE-2026-25568Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete…
- CVE-2026-25567Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
- CVE-2026-25566Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board,…
- CVE-2026-25565Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
- CVE-2026-25564Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…
- CVE-2026-25563Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating…
- CVE-2026-25562Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to…
- CVE-2026-25561Feb 7, 2026risk 0.00cvss —epss 0.00
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling…
- CVE-2026-25560Feb 7, 2026risk 0.00cvss —epss 0.01
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during…
- CVE-2026-1964Feb 5, 2026risk 0.00cvss —epss 0.00
A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix…
- CVE-2026-1963Feb 5, 2026risk 0.00cvss —epss 0.00
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates…
- CVE-2026-1962Feb 5, 2026risk 0.00cvss —epss 0.00
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to…
- CVE-2026-1898Feb 5, 2026risk 0.00cvss —epss 0.00
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to…
- CVE-2026-1897Feb 5, 2026risk 0.00cvss —epss 0.00
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from…
- CVE-2026-1896Feb 4, 2026risk 0.00cvss —epss 0.00
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId…
- CVE-2026-1895Feb 4, 2026risk 0.00cvss —epss 0.00
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version…
- CVE-2026-1894Feb 4, 2026risk 0.00cvss —epss 0.00
A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote…
- CVE-2026-1892Feb 4, 2026risk 0.00cvss —epss 0.00
A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack…
- CVE-2025-65781Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial…
- CVE-2025-65779Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
- CVE-2025-65782Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative…
- CVE-2025-65778Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and…
- CVE-2025-65780Dec 15, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks;…
- CVE-2023-28485Jun 26, 2023risk 0.00cvss —epss 0.01
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they…
- CVE-2023-31779May 22, 2023risk 0.00cvss —epss 0.01
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.
- CVE-2021-20654Feb 10, 2021risk 0.00cvss —epss 0.01
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named 'Fieldbleed' in the vendor's site.