CVE-2026-25562

MEDIUM

Wekan < 8.19 - Information Disclosure

Title source: rule

Description

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

References (3)

[Patch] https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure

[Product] https://wekan.fi/

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (1)

wekan_project/wekan < 8.19

Published Feb 07, 2026

Tracked Since Feb 18, 2026