Is Kanboard affected by CVE-2026-25924?

Kanboard versions prior to 1.2.50 contain a critical vulnerability allowing authenticated administrators to execute arbitrary code on affected systems. Organizations using Kanboard must prioritize immediate patching to prevent potential data theft, system compromise, and operational disruption.

CVE-2026-25924

HIGH

2026-02-11 [email protected]

8.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

PoC Detected

Feb 13, 2026 - 21:30 vuln.today

Public exploit code

Patch Released

Feb 13, 2026 - 21:30 nvd

Patch available

CVE Published

Feb 11, 2026 - 21:16 nvd

HIGH 8.4

Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.

Analysis

Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation restrictions and execute arbitrary code on the server. The vulnerability stems from a configuration validation flaw where the PLUGIN_INSTALLER setting is enforced only in the UI but not validated at the backend endpoint, enabling an attacker to force installation of malicious plugins. …

Remediation

Within 24 hours: Inventory all Kanboard instances and verify current versions; restrict administrative access to trusted personnel only. Within 7 days: Apply vendor patch to upgrade all instances to version 1.2.50 or later; validate patch deployment in a test environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: +20

CVE-2026-25924 vulnerability details – vuln.today

Back

CVE-2026-25924

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25924

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code