CVE-2026-25566

low-risk

Published 2026-02-07

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Wekan

Affected Vendors

Wekan Project

References (3)

Patch https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e

Product https://wekan.fi/

Third Party Advisory https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destina...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal