CVE-2026-25560— WeKan < 8.19 LDAP Authentication Filter Injection
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25560
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WeKan < 8.19 LDAP Authentication Filter Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WeKan 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WeKan是WeKan开源的一个看板应用程序。 WeKan 8.19之前版本存在注入漏洞,该漏洞源于LDAP身份验证中用户提供的用户名输入未经充分转义即并入LDAP搜索过滤器和DN相关值,可能导致LDAP过滤器注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-25560
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25560
请登录查看更多情报信息。
Same Patch Batch · WeKan · 2026-02-07 · 10 CVEs total
| CVE-2026-25567 | WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId | |
| CVE-2026-25565 | WeKan < 8.19 Read-only Board Roles Can Update Cards | |
| CVE-2026-25561 | WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass | |
| CVE-2026-25568 | WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass | |
| CVE-2026-25564 | WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation | |
| CVE-2026-25562 | WeKan < 8.19 Attachments Publication Information Disclosure | |
| CVE-2026-25563 | WeKan < 8.19 Checklist Creation Cross-Board IDOR | |
| CVE-2026-25566 | WeKan < 8.19 Cross-board Card Move Without Destination Authorization | |
| CVE-2026-25859 | WeKan < 8.20 Migration Functionality Insufficient Permission Checks |
IV. Related Vulnerabilities
Same product: WeKan
- CVE-2026-41455
WeKan < 8.35 SSRF via Webhook URL - CVE-2026-41454
WeKan < 8.35 Missing Authorization via Integration REST API - CVE-2026-30847
Wekan Credential Leak via notificationUsers Publication Expo - CVE-2026-30846
Wekan Exposes All Global Webhook Integrations through global - CVE-2026-30845
Wekan Exposes Sensitive Data through Lack of Field Filtering
Same vendor: WeKan
- CVE-2026-41455
WeKan < 8.35 SSRF via Webhook URL - CVE-2026-41454
WeKan < 8.35 Missing Authorization via Integration REST API - CVE-2026-30847
Wekan Credential Leak via notificationUsers Publication Expo - CVE-2026-30846
Wekan Exposes All Global Webhook Integrations through global - CVE-2026-30845
Wekan Exposes Sensitive Data through Lack of Field Filtering
Same weakness: CWE-90
- CVE-2026-40606
ProxyAuth Addon LDAP Injection in mitmproxy - CVE-2026-40459
LDAP Injection in PAC4J - CVE-2026-40193
Maddy Mail Server: LDAP Filter Injection via Unsanitized Use - CVE-2026-0636
LDAP Injection Vulnerability in LDAPStoreHelper.java - CVE-2026-39962
LDAP injection in MISP ApacheAuthenticate when using a user-
V. Comments for CVE-2026-25560
No comments yet