CVE-2026-2206

low-risk

Published 2026-02-08

A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Wekan

Affected Vendors

Wekan Project

References (6)

Product https://github.com/wekan/wekan/

Patch https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743

Product https://github.com/wekan/wekan/releases/tag/v8.21

Permissions Required https://vuldb.com/?ctiid.344920

Third Party Advisory https://vuldb.com/?id.344920

Third Party Advisory https://vuldb.com/?submit.752162

/ 100

low-risk

Severity 23/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal