高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
| CVE-2026-52891 | 9.9 CRITICAL | Wekan: Shell Injection via Avatar Upload |
| CVE-2026-55234 | 8.5 HIGH | Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes |
| CVE-2026-52890 | 7.1 HIGH | Wekan: Arbitrary file read and server DoS via attachment versions.original.path |
| CVE-2026-53447 | 6.5 MEDIUM | Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) a |
| CVE-2026-52892 | 6.5 MEDIUM | Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalatio |
| CVE-2026-53444 | Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin | |
| CVE-2026-53445 | Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards | |
| CVE-2026-53446 | Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs | |
| CVE-2026-52893 | Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser h |
まだコメントはありません