A cross-board authorization bypass vulnerability exists in Wekan, a Meteor-based open-source kanban platform. This issue, tracked as CVE-2026-59154, allows a low-privileged authenticated user with write access to one board and knowledge of a target private card ID to create checklist data on an accessible card and move it into a private board where they are not a member. The vulnerability is fixed in Weka [truncated]
CVE-2026-41455 documents a server-side request forgery (SSRF) vulnerability in WeKan versions prior to 8.35, published by NVD on 2026-04-22 and last modified on 2026-05-26. The flaw resides in webhook integration URL handling, where the URL scheme field accepts arbitrary strings without protocol restriction or destination validation. Attackers with permissions to create or modify integrations can configur [truncated]