Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

WeKan — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in WeKan, with AI-generated Chinese analysis, references, and POCs.

Vendor: Wekan Team

CVE IDTitleCVSSSeverityPaused
CVE-2026-41455 WeKan < 8.35 SSRF via Webhook URL CWE-918 8.5 High2026-04-22
CVE-2026-41454 WeKan < 8.35 Missing Authorization via Integration REST API CWE-862 8.3 High2026-04-22
CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens CWE-200 6.5 -2026-03-06
CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication CWE-306 7.5 -2026-03-06
CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication CWE-200 7.5 -2026-03-06
CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading CWE-918 9.1 -2026-03-06
CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints CWE-639 6.5 -2026-03-06
CVE-2026-2209 WeKan Custom Translation translationBody.js setCreateTranslation improper authorization CWE-285 6.3 Medium2026-02-08
CVE-2026-2208 WeKan Rules rules.js RulesBleed authorization CWE-862 4.3 Medium2026-02-08
CVE-2026-2207 WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure CWE-200 5.3 Medium2026-02-08
CVE-2026-2206 WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control CWE-284 6.3 Medium2026-02-08
CVE-2026-2205 WeKan Meteor Publication cards.js CardPubSubBleed information disclosure CWE-200 4.3 Medium2026-02-08
CVE-2026-25859 WeKan < 8.20 Migration Functionality Insufficient Permission Checks CWE-863 7.1AIHighAI2026-02-07
CVE-2026-25568 WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass CWE-863 6.5AIMediumAI2026-02-07
CVE-2026-25567 WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25566 WeKan < 8.19 Cross-board Card Move Without Destination Authorization CWE-863 3.3AILowAI2026-02-07
CVE-2026-25565 WeKan < 8.19 Read-only Board Roles Can Update Cards CWE-863 4.3AIMediumAI2026-02-07
CVE-2026-25564 WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR CWE-639 6.5AIMediumAI2026-02-07
CVE-2026-25562 WeKan < 8.19 Attachments Publication Information Disclosure CWE-203 5.3AIMediumAI2026-02-07
CVE-2026-25561 WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass CWE-863 7.5AIHighAI2026-02-07
CVE-2026-25560 WeKan < 8.19 LDAP Authentication Filter Injection CWE-90 7.5AIHighAI2026-02-07
CVE-2026-1964 WeKan REST Endpoint boards.js BoardTitleRESTBleed access control CWE-284 4.3 Medium2026-02-05
CVE-2026-1963 WeKan Attachment Storage attachments.js MoveStorageBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1962 WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1898 WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control CWE-284 6.3 Medium2026-02-05
CVE-2026-1897 WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization CWE-862 4.3 Medium2026-02-05
CVE-2026-1896 WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control CWE-284 6.3 Medium2026-02-04
CVE-2026-1895 WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control CWE-284 6.3 Medium2026-02-04
CVE-2026-1894 WeKan REST API checklistItems.js Checklist REST Bleed improper authorization CWE-285 6.3 Medium2026-02-04

All 32 known CVE vulnerabilities affecting WeKan with full Chinese analysis, references, and POCs where available.