CVE-2026-25566
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.
Risk Assessment
The risk involves potential unauthorized movement of cards between boards, which could lead to data confidentiality and integrity breaches, as well as privilege escalation within the organization.
Recommendation
It is recommended to immediately upgrade WeKan to version 8.19 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.

