CVE-2026-25561: WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully vali
highvulnerability
WeKan versions before 8.19 have a bug in the attachment upload API where it doesn't properly check that the identifiers (like boardId, cardId, and listId) match up correctly, allowing attackers to upload attachments that don't belong together. This is an authorization weakness (CWE-863, a flaw in access control), rated as HIGH severity, that requires the attacker to already have login credentials to exploit.
Update to WeKan version 8.19 or later. A patch is available at https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8.
7.5(high)
EPSS: 0.0%
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25561
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%