Shodan
Vulnerabilities
Vulnerable Software
Wekan Project:  >> Wekan  >> 0.43  Security Vulnerabilities
CVE-2025-65778
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-12-15
CVE-2025-65779
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-12-15
CVE-2025-65780
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-12-15
CVE-2025-65781
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.
CVSS Score
8.2
EPSS Score
0.0
Published
2025-12-15
CVE-2023-28485
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-06-26
CVE-2023-31779
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-05-22
CVE-2021-3309
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,
CVSS Score
8.1
EPSS Score
0.004
Published
2021-01-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved