CVE-2025-55010

moderate-risk
Published 2025-08-12

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

Do I need to act?

~
4.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Kanboard

References (4)

Product https://github.com/kanboard/kanboard/blob/b033c0e0f982f8158e240bce8ab54c29727f8e...
Patch https://github.com/kanboard/kanboard/commit/7148ac092e5db6b33e0fc35e04bca328d96c...
Exploit https://github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64r
Exploit https://github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64r
44
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 8/34 · Low
Exposure 5/34 · Minimal