CVE-2026-25561

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.19

Description The software contains an authorization weakness in the attachment upload API. The API does not fully validate identifiers such as boardId, cardId, swimlaneId, and listId to ensure they correctly relate to a coherent card/board relationship. This allows attempts to upload attachments with mismatched object relationships.

Recommendations Update to version 8.19 or later.