Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Wekan — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in Wekan, with AI-generated Chinese analysis, references, and POCs.

This page documents known weaknesses for Wekan, an open-source collaborative kanban web application developed by Wekan. It aggregates security vulnerabilities affecting this specific product to provide a centralized view of its security posture over time. The content on this page covers a broad spectrum of vulnerability types, including Cross-Site Scripting (XSS), Authentication Bypass, and Server-Side Request Forgery (SSRF), with data spanning from the initial public releases up to the present day. This aggregation ensures that users and security researchers have access to a comprehensive timeline of reported issues. By utilizing this resource, users can track advisory updates from the vendor to stay informed about recent patches and critical fixes. It also allows for a deeper understanding of specific weakness classes frequently found in Wekan, helping administrators assess potential risks within their deployment environments. Furthermore, the page serves as a reference for looking up the complete vulnerability history of the product, enabling teams to evaluate past security incidents and determine the effectiveness of implemented mitigations. This structured overview supports proactive security management by highlighting trends and recurring issues, thereby assisting in prioritizing remediation efforts and ensuring the stability of Wekan instances in various operational contexts.

Vendor: Wekan Team

CVE IDTitleCVSSSeverityPublished
CVE-2026-41455 WeKan < 8.35 SSRF via Webhook URL CWE-918 8.5 High2026-04-22
CVE-2026-41454 WeKan < 8.35 Missing Authorization via Integration REST API CWE-862 8.3 High2026-04-22
CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens CWE-200 6.5 -2026-03-06
CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication CWE-306 7.5 -2026-03-06
CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication CWE-200 7.5 -2026-03-06
CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading CWE-918 9.1 -2026-03-06
CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints CWE-639 6.5 -2026-03-06
CVE-2026-2209 WeKan Custom Translation translationBody.js setCreateTranslation improper authorization CWE-285 6.3 Medium2026-02-08
CVE-2026-2208 WeKan Rules rules.js RulesBleed authorization CWE-862 4.3 Medium2026-02-08
CVE-2026-2207 WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure CWE-200 5.3 Medium2026-02-08
CVE-2026-2206 WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control CWE-284 6.3 Medium2026-02-08
CVE-2026-2205 WeKan Meteor Publication cards.js CardPubSubBleed information disclosure CWE-200 4.3 Medium2026-02-08
CVE-2026-25859 WeKan < 8.20 Migration Functionality Insufficient Permission Checks CWE-863 7.1AIHighAI2026-02-07
CVE-2026-25568 WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass CWE-863 6.5AIMediumAI2026-02-07
CVE-2026-25567 WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25566 WeKan < 8.19 Cross-board Card Move Without Destination Authorization CWE-863 3.3AILowAI2026-02-07
CVE-2026-25565 WeKan < 8.19 Read-only Board Roles Can Update Cards CWE-863 4.3AIMediumAI2026-02-07
CVE-2026-25564 WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25562 WeKan < 8.19 Attachments Publication Information Disclosure CWE-203 5.3AIMediumAI2026-02-07
CVE-2026-25561 WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass CWE-863 7.5AIHighAI2026-02-07
CVE-2026-25560 WeKan < 8.19 LDAP Authentication Filter Injection CWE-90 7.5AIHighAI2026-02-07
CVE-2026-1964 WeKan REST Endpoint boards.js BoardTitleRESTBleed access control CWE-284 4.3 Medium2026-02-05
CVE-2026-1963 WeKan Attachment Storage attachments.js MoveStorageBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1962 WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1898 WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1897 WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization CWE-862 4.3 Medium2026-02-05
CVE-2026-1896 WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control CWE-284 6.3 Medium2026-02-04
CVE-2026-1895 WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control CWE-284 6.3 Medium2026-02-04
CVE-2026-1894 WeKan REST API checklistItems.js Checklist REST Bleed improper authorization CWE-285 6.3 Medium2026-02-04

All 32 known CVE vulnerabilities affecting Wekan with full Chinese analysis, references, and POCs where available.