PT-2026-60322 · Wekan · Wekan

Published

2026-07-15

·

Updated

2026-07-16

·

CVE-2026-53446

CVSS v4.0

6.2

Medium

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions Wekan versions prior to 9.32
Description A Server-Side Request Forgery (SSRF) exists where webhook integration URLs in models/integrations.js are stored from user input and subsequently fetched by server/notifications/outgoing.js. The process fails to apply the validateAttachmentUrl() private-network checks located in models/lib/attachmentUrlValidation.js. Consequently, a board administrator can configure webhook URLs that trigger server-side requests to internal or metadata services.
Recommendations Update to version 9.32.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53446

Affected Products

Wekan