Every CVE whose affected-product data names Wekan Project Wekan, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (39)
CVE-2026-25560 — CVSS 9.8 (critical): WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is…
CVE-2026-25859 — CVSS 8.8 (high): Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks…
CVE-2025-65780 — CVSS 8.8 (high): An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update…
CVE-2025-65781 — CVSS 8.2 (high): An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the…
CVE-2026-30845 — CVSS 8.2 (high): Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes…
CVE-2025-65778 — CVSS 8.1 (high): An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be…
CVE-2026-30844 — CVSS 8.1 (high): Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via…
CVE-2021-3309 — CVSS 8.1 (high): packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification…
CVE-2026-25564 — CVSS 7.5 (high): WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The…
CVE-2025-65779 — CVSS 7.5 (high): An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can…
CVE-2026-30846 — CVSS 7.5 (high): Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global…
CVE-2026-25561 — CVSS 7.5 (high): WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided…
CVE-2026-25563 — CVSS 7.5 (high): WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The…
CVE-2025-65782 — CVSS 6.5 (medium): An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update…
CVE-2026-25565 — CVSS 6.5 (medium): WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access…
CVE-2026-30847 — CVSS 6.5 (medium): Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan…
CVE-2026-30843 — CVSS 6.5 (medium): Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue…
CVE-2026-2206 — CVSS 6.3 (medium): A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateList…
CVE-2026-1896 — CVSS 6.3 (medium): A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file…
CVE-2026-1898 — CVSS 6.3 (medium): A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the…
CVE-2026-1962 — CVSS 6.3 (medium): A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js…
CVE-2026-1963 — CVSS 6.3 (medium): A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component…
CVE-2026-2209 — CVSS 6.3 (medium): A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file…
CVE-2026-1894 — CVSS 6.3 (medium): A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component…
CVE-2026-1895 — CVSS 6.3 (medium): A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment…
CVE-2023-31779 — CVSS 5.4 (medium): Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript…
CVE-2021-20654 — CVSS 5.4 (medium): Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. This is named…
CVE-2026-25566 — CVSS 5.4 (medium): WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination…
CVE-2023-28485 — CVSS 5.4 (medium): A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject…
CVE-2018-1000549 — CVSS 5.3 (medium): Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result…
CVE-2026-2207 — CVSS 5.3 (medium): A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js…
CVE-2026-1892 — CVSS 5.0 (medium): A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the…
CVE-2026-25568 — CVSS 4.3 (medium): WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not…
CVE-2026-25562 — CVSS 4.3 (medium): WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be…
CVE-2026-2208 — CVSS 4.3 (medium): A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of…
CVE-2026-25567 — CVSS 4.3 (medium): WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an…
CVE-2026-1964 — CVSS 4.3 (medium): A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST…
CVE-2026-1897 — CVSS 4.3 (medium): A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHisto…
CVE-2026-2205 — CVSS 4.3 (medium): A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component…