Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| # | POC Description | Source Link | Shenlong Link |
|---|
No public POC found.
Login to generate AI POC| CVE-2026-52891 | 9.9 CRITICAL | Wekan: Shell Injection via Avatar Upload |
| CVE-2026-55652 | 9.8 CRITICAL | Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unaut |
| CVE-2026-55234 | 8.5 HIGH | Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes |
| CVE-2026-52890 | 7.1 HIGH | Wekan: Arbitrary file read and server DoS via attachment versions.original.path |
| CVE-2026-53447 | 6.5 MEDIUM | Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) a |
| CVE-2026-53444 | Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin | |
| CVE-2026-53445 | Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards | |
| CVE-2026-53446 | Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs | |
| CVE-2026-52893 | Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser h |
No comments yet