Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

kanboard — Vulnerabilities & Security Advisories 25

Browse all 25 CVE security advisories affecting kanboard. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Kanboard is an open-source project management tool utilizing the Kanban methodology to visualize workflow and limit work in progress. Its primary use case involves facilitating agile task tracking for teams seeking a lightweight, self-hosted alternative to complex enterprise solutions. Security audits have identified twenty-five distinct Common Vulnerabilities and Exposures (CVEs) associated with the platform, highlighting significant historical weaknesses. These vulnerabilities predominantly involve cross-site scripting (XSS), SQL injection, and remote code execution (RCE), often stemming from insufficient input validation and improper access controls. Notable incidents include critical flaws allowing unauthenticated attackers to execute arbitrary commands or escalate privileges within the application environment. While the software offers flexibility for small to medium-sized organizations, the high volume of disclosed CVEs underscores the necessity for rigorous patch management and secure configuration practices to mitigate risks associated with its PHP-based architecture.

Top products by kanboard: kanboard
CVE IDTitleCVSSSeverityPublished
CVE-2026-33058 Kanboard has Authenticated SQL Injection in Project Permissions Handler — kanboardCWE-89 6.5 -2026-03-18
CVE-2026-29056 Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin — kanboardCWE-915 8.8 -2026-03-18
CVE-2026-25531 Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects — kanboardCWE-862 4.3 Medium2026-02-13
CVE-2026-25924 Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE — kanboardCWE-863 8.5 High2026-02-11
CVE-2026-25530 Kanboard is missing authorization check in getSwimlane API allows cross-project data access — kanboardCWE-639 4.3 Medium2026-02-10
CVE-2026-24885 Kanboard Affected by Cross-Site Request Forgery (CSRF) via Content-Type Misconfiguration in Project Role Assignment — kanboardCWE-352 5.7 Medium2026-02-10
CVE-2026-21881 Kanboard is Vulnerable to Reverse Proxy Authentication Bypass — kanboardCWE-287 9.1 Critical2026-01-08
CVE-2026-21880 Kanboard LDAP Injection Vulnerability can Lead to User Enumeration and Information Disclosure — kanboardCWE-90 5.3 Medium2026-01-08
CVE-2026-21879 Kanboard vulnerable to Open Redirect via protocol-relative URLs — kanboardCWE-601 4.7 Medium2026-01-08
CVE-2025-55010 Kanboard Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events — kanboardCWE-502 9.1 Critical2025-08-12
CVE-2025-55011 Kanboard Path Traversal in File Write via Task File Upload Api — kanboardCWE-22 6.4 Medium2025-08-12
CVE-2025-52576 Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass — kanboardCWE-203 5.3 Medium2025-06-25
CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection — kanboardCWE-640 8.1 High2025-06-24
CVE-2025-46825 Kanboard has stored Cross-site Scripting vulnerability in project name — kanboardCWE-79 6.1AIMediumAI2025-05-12
CVE-2024-55603 Insufficient session invalidation in Kanboard — kanboardCWE-613 6.5 Medium2024-12-18
CVE-2024-54001 Kanboard allows a persistent HTML injection site scripting in settings page date format — kanboardCWE-80 5.5 Medium2024-12-05
CVE-2024-51747 Arbitrary File Read and Delete in kanboard — kanboardCWE-22 9.1 Critical2024-11-11
CVE-2024-51748 Remote code execution through language setting in kanboard — kanboardCWE-22 9.1 Critical2024-11-11
CVE-2024-36399 Kanboard affected by Project Takeover via IDOR in ProjectPermissionController — kanboardCWE-284 8.2 High2024-06-06
CVE-2023-36813 Kanboard Authenticated SQL Injections vulnerability — kanboardCWE-89 7.1 High2023-07-05
CVE-2023-33969 Stored Cross site scripting in the Task External Link Functionality in Kanboard — kanboardCWE-79 6.4 Medium2023-06-05
CVE-2023-33970 Missing access control in internal task links feature in Kanboard — kanboardCWE-862 5.4 Medium2023-06-05
CVE-2023-33968 Missing Access Control allows User to move and duplicate tasks in Kanboard — kanboardCWE-862 5.4 Medium2023-06-05
CVE-2023-33956 Parameter based Indirect Object Referencing leading to private file exposure in Kanboard — kanboardCWE-200 4.3 Medium2023-06-05
CVE-2023-32685 Clipboard based cross-site scripting (blocked with default CSP) in Kanboard — kanboardCWE-79 4.4 Medium2023-05-30

This page lists every published CVE security advisory associated with kanboard. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.