CVE-2025-46825

Name of the Vulnerable Software and Affected Versions Kanboard versions 1.2.26 through 1.2.44

Description The issue is a Stored Cross-Site Scripting (XSS) vulnerability in the name parameter of the "http://localhost/?controller=ProjectCreationController&action=create" form. This allows attackers to inject malicious scripts into web pages viewed by other users. The default content security policy (CSP) blocks the JavaScript attack, but it can be exploited if an instance is badly configured and the software is vulnerable to CSS injection due to the unsafe-inline directive in the default CSP.

Recommendations For versions 1.2.26 through 1.2.44, update to version 1.2.45 or later to resolve the issue. As a temporary workaround, consider restricting access to the http://localhost/?controller=ProjectCreationController&action=create form until the update is applied. Additionally, review and adjust the content security policy (CSP) to prevent CSS injection by removing the unsafe-inline directive if possible.