CVE-2026-25562

WeKan < 8.19 Attachments Publication Information Disclosure

CVSS 5.3 MEDIUMEPSS 0.3%CWE-203

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

07 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

WeKan · WeKan

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820 https://wekan.fi/https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure