wekan — Vulnerabilities & Security Advisories 17

Browse all 17 CVE security advisories affecting wekan. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WeKan serves as an open-source Kanban board application for team project management. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting attacks, and privilege escalation flaws, contributing to its 17 recorded CVEs. Notable security characteristics include its self-hosted nature, which allows organizations to maintain control over their data but requires diligent patch management. While no major public security incidents have been widely documented, the consistent discovery of vulnerabilities in areas such as authentication and file handling underscores the importance of regular security updates for deployments handling sensitive project information.

Top products by wekan: WeKan

CVE ID	Title	CVSS	Severity	Published
CVE-2026-41455	WeKan < 8.35 SSRF via Webhook URL — wekanCWE-918	8.5	High	2026-04-22
CVE-2026-41454	WeKan < 8.35 Missing Authorization via Integration REST API — wekanCWE-862	8.3	High	2026-04-22
CVE-2026-30847	Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens — WekanCWE-200	6.5	-	2026-03-06
CVE-2026-30846	Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication — WekanCWE-306	7.5	-	2026-03-06
CVE-2026-30845	Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication — WekanCWE-200	7.5	-	2026-03-06
CVE-2026-30844	Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading — WekanCWE-918	9.1	-	2026-03-06
CVE-2026-30843	Wekan has Cross-Board IDOR in Custom Fields Update Endpoints — WekanCWE-639	6.5	-	2026-03-06
CVE-2026-25859	WeKan < 8.20 Migration Functionality Insufficient Permission Checks — WeKanCWE-863	7.1^AI	High^AI	2026-02-07
CVE-2026-25568	WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass — WeKanCWE-863	6.5^AI	Medium^AI	2026-02-07
CVE-2026-25567	WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId — WeKanCWE-639	6.5^AI	Medium^AI	2026-02-07
CVE-2026-25566	WeKan < 8.19 Cross-board Card Move Without Destination Authorization — WeKanCWE-863	3.3^AI	Low^AI	2026-02-07
CVE-2026-25565	WeKan < 8.19 Read-only Board Roles Can Update Cards — WeKanCWE-863	4.3^AI	Medium^AI	2026-02-07
CVE-2026-25564	WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation — WeKanCWE-639	6.5^AI	Medium^AI	2026-02-07
CVE-2026-25563	WeKan < 8.19 Checklist Creation Cross-Board IDOR — WeKanCWE-639	6.5^AI	Medium^AI	2026-02-07
CVE-2026-25562	WeKan < 8.19 Attachments Publication Information Disclosure — WeKanCWE-203	5.3^AI	Medium^AI	2026-02-07
CVE-2026-25561	WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass — WeKanCWE-863	7.5^AI	High^AI	2026-02-07
CVE-2026-25560	WeKan < 8.19 LDAP Authentication Filter Injection — WeKanCWE-90	7.5^AI	High^AI	2026-02-07

This page lists every published CVE security advisory associated with wekan. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

wekan — Vulnerabilities & Security Advisories 17