Product
wekan project wekan
39 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-30847
CVE-2026-30846
CVE-2026-30845
CVE-2026-30844
CVE-2026-30843
CVE-2026-2209
CVE-2026-2208
CVE-2026-2207
CVE-2026-2206
CVE-2026-2205
CVE-2026-25859
CVE-2026-25568
CVE-2026-25567
CVE-2026-25566
CVE-2026-25565
CVE-2026-25564
CVE-2026-25563
CVE-2026-25562
CVE-2026-25561
CVE-2026-25560
CVE-2026-1964
CVE-2026-1963
CVE-2026-1962
CVE-2026-1898
CVE-2026-1897
CVE-2026-1896
CVE-2026-1895
CVE-2026-1894
CVE-2026-1892
CVE-2025-65782
CVE-2025-65781
CVE-2025-65780
CVE-2025-65779
CVE-2025-65778
CVE-2023-28485
CVE-2023-31779
CVE-2021-20654
CVE-2021-3309
CVE-2018-1000549
>= 8.31 and < 8.33
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan
>= 8.31 and < 8.33
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all
>= 8.31 and < 8.33
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan p
all versions
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF)
all versions
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (ID
< 8.19
A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/com
< 8.21
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/ru
< 8.21
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/act
< 8.21
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDup
< 8.21
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the c
< 8.20
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission check
< 8.19
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnl
< 8.19
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint acc
< 8.19
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/lis
< 8.19
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read a
< 8.19
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes
< 8.19
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes
< 8.19
WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata c
< 8.19
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that
< 8.19
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input i
< 8.21
A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component
< 8.21
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component
< 8.21
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigra
< 8.21
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.j
< 8.21
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/pos
< 8.21
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of
< 8.21
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Att
< 8.21
A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the com
< 8.21
A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.j
<= 8.15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in ca
< 8.16
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API tr
< 8.16
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can
< 8.16
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attacker
< 8.16
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can
< 6.75
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to
<= 6.84
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert Ja
>= 3.12 and <= 4.11
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This
< 4.87
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certifi
all versions
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can