PatchSiren cyber security CVE debrief
CVE-2026-52891 wekan CVE debrief
CVE-2026-52891 is a critical vulnerability in Wekan's avatar upload feature. Prior to version 9.07, user-supplied filenames were embedded into paths and passed to child_process.exec() for MIME-type detection. This allowed attackers to inject shell metacharacters, such as backticks and $(), to execute commands on the server. The issue was fixed in version 9.07.
- Vendor
- wekan
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of Wekan, especially those hosting their kanban boards on servers that may be exposed to untrusted users, should be aware of this vulnerability and take immediate action to update to version 9.07 or apply compensating controls.
Technical summary
The vulnerability exists in the avatar upload functionality of Wekan, an open-source kanban built with Meteor. User-supplied filenames were not properly sanitized, allowing shell metacharacters to be embedded into paths. These paths were then passed to child_process.exec() for MIME-type detection, enabling attackers to execute arbitrary commands on the server. The CVSS score for this vulnerability is 9.9, indicating a critical severity. The vulnerability was publicly disclosed on July 15, 2026, and the first update to the CVE record was made on July 16, 2026.
Defensive priority
High
Recommended defensive actions
- Update Wekan to version 9.07 or later
- Review and sanitize user-supplied filenames
- Implement compensating controls, such as restricting access to avatar upload functionality
- Monitor for suspicious activity on the server
- Consider using a Web Application Firewall (WAF) to detect and prevent attacks
Evidence notes
The CVE record was published on July 15, 2026, and modified on July 16, 2026. The NVD entry is currently Deferred. The vulnerability was fixed in version 9.07 of Wekan. Limited information is available about the specific exploits or attacks related to this vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:16.450Z and has not been modified since then. The NVD entry is currently Deferred.