CVE-2026-41455

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.35

Description An issue exists in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. This allows users with permissions to create or modify integrations to set webhook URLs to internal network addresses. Consequently, the server may issue HTTP POST requests to internal targets with full board event payloads. Additionally, the response handling can be exploited to overwrite arbitrary comment text without authorization checks. Server-side request forgery is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.

Recommendations Update to version 8.35 or later.