PT-2026-60322 · Wekan · Wekan
Published
2026-07-15
·
Updated
2026-07-16
·
CVE-2026-53446
CVSS v4.0
6.2
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Wekan versions prior to 9.32
Description
A Server-Side Request Forgery (SSRF) exists where webhook integration URLs in
models/integrations.js are stored from user input and subsequently fetched by server/notifications/outgoing.js. The process fails to apply the validateAttachmentUrl() private-network checks located in models/lib/attachmentUrlValidation.js. Consequently, a board administrator can configure webhook URLs that trigger server-side requests to internal or metadata services.Recommendations
Update to version 9.32.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wekan