CVE-2026-30844

Name of the Vulnerable Software and Affected Versions Wekan versions 8.32 through 8.33

Description Wekan, an open-source kanban tool built with Meteor, has an issue where the server directly fetches attachment URLs during board import without proper validation or filtering. This affects both Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs and pass them to Attachments.load() for download without sanitization. This allows authenticated users to make arbitrary HTTP requests from the server, potentially accessing internal network services like cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels.

Recommendations Wekan versions 8.32 and 8.33 should be updated to version 8.34.