CVE-2025-55011

Medium CVSS: 6.4

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47.

Vendor

Kanboard

Product

Kanboard

CWE

CWE-22

Yayın Tarihi

2025-08-12 16:15:28

Güncelleme

2025-08-22 17:15:47

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Kanboard MEDIUM Kanboard 2025

Referanslar

https://github.com/kanboard/kanboard/blob/b2e35ac520add67cff792aab960b3c002c48e3d0/app/Api/Procedure/TaskFileProcedure.php#L47-L57 https://github.com/kanboard/kanboard/commit/523a6135e944b6884c091a3fd7605af8ef133681 https://github.com/kanboard/kanboard/security/advisories/GHSA-26f4-rx96-xc55 https://github.com/kanboard/kanboard/security/advisories/GHSA-26f4-rx96-xc55

Benzer Kayıtlar

High

CVE-2026-33058

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQ…

High

CVE-2026-29056

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registrat…

Medium

CVE-2026-25531

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is in…

High

CVE-2026-25924

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulner…

Medium

CVE-2026-25530

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks…

Medium

CVE-2026-24885

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CS…