PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52891 wekan CVE debrief

CVE-2026-52891 is a critical vulnerability in Wekan's avatar upload feature. Prior to version 9.07, user-supplied filenames were embedded into paths and passed to child_process.exec() for MIME-type detection. This allowed attackers to inject shell metacharacters, such as backticks and $(), to execute commands on the server. The issue was fixed in version 9.07.

Vendor
wekan
Product
Unknown
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Administrators and users of Wekan, especially those hosting their kanban boards on servers that may be exposed to untrusted users, should be aware of this vulnerability and take immediate action to update to version 9.07 or apply compensating controls.

Technical summary

The vulnerability exists in the avatar upload functionality of Wekan, an open-source kanban built with Meteor. User-supplied filenames were not properly sanitized, allowing shell metacharacters to be embedded into paths. These paths were then passed to child_process.exec() for MIME-type detection, enabling attackers to execute arbitrary commands on the server. The CVSS score for this vulnerability is 9.9, indicating a critical severity. The vulnerability was publicly disclosed on July 15, 2026, and the first update to the CVE record was made on July 16, 2026.

Defensive priority

High

Recommended defensive actions

  • Update Wekan to version 9.07 or later
  • Review and sanitize user-supplied filenames
  • Implement compensating controls, such as restricting access to avatar upload functionality
  • Monitor for suspicious activity on the server
  • Consider using a Web Application Firewall (WAF) to detect and prevent attacks

Evidence notes

The CVE record was published on July 15, 2026, and modified on July 16, 2026. The NVD entry is currently Deferred. The vulnerability was fixed in version 9.07 of Wekan. Limited information is available about the specific exploits or attacks related to this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:16.450Z and has not been modified since then. The NVD entry is currently Deferred.