CVE-2026-25562
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
WeKan versions prior to 8.19 have an information disclosure vulnerability in attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing metadata to unauthorized users.
Risk Assessment
The organization risks leakage of attachment metadata, which may reveal sensitive information about stored files even if the user does not have access to the relevant boards or cards.
Recommendation
Update WeKan to version 8.19 or later immediately, which includes a fix that restricts access to attachment metadata based on user permissions.
Original NVD description (English source)
WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

