Contents

See SECURITY.md how to send security issue to security@wekan.fi ONLY ! NOT TO ANYONE ELSE ! Thanks!

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
-	Spacebleed	2025-11-02 03:29 EET	Siam Thanat Hack (STH) Did send detailed report!	1. File Attachments enables stored XSS (High) 2. Access to boards of any Orgs/Teams (High) 3. Unauthenticated (or any) user can update board ‘sort’ (Low) 4. Members can forge others’ votes (Low). Bonus: Similar fixes to planning poker too done by xet7. 5. Attachment API uses bearer value as userId and DoS (Low) Affected Wekan v8.15 Fixed at Wekan v8.16 2025-11-02 More details
CVE-2021-20654 JVN: Many fixed.	Fieldbleed	JVN: 2021-2025 Many fixed.	Cyb3rjunky and swsjona about input fields. Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. (https://www.mbsd.jp/) about Javascript inside .SVG attachment Romain Korpas at apitech.fr about IDOR. Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs about SVG. Sho Sugiyama about XSS. And some anonymous security researchers. Did send detailed report!	XSS: Javascript saved to field, and Javascript inside .SVG attachment, is run when page is reloaded Affected Wekan v3.12-v4.11 Fixed at Wekan v4.12 2020-06-08 More details Fixed at WeKan v7.98 or earlier: IDOR CWE-639 that affected WeKan 7.80-7.93: Romain Korpas at apitech.fr. Computational Resource Abuse in Export endpoints: Anynymous Security Researcher. FG-VD-22-078 Prevent SVG Billion Laughs Attack: Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs. usd-2022-0041 CWE-284 Improper Access Control: Christian Pöschl of usd AG. JVN#14269684 Broken access control, JVN#74210258 Stored XSS, JVN#86586539 Stored XSS: Ryoua Koyama. JVN#15385465 CWE-79 XSS: Sho Sugiyama. JVN#80785288 CWE-79 XSS: Already previously fixed.
-	SocialBleed	2023-05-11 19.14 EET	Rajesh Thapa Did send detailed report!	Security: Links to Social Media at wekan.fi could lead to theft of sensitive information Affected Wekan website before 2024-05-12 05.34 EET Fixed at Wekan website 2023-05-12 05.34 EET More details
-	AdminBleed	2023-04-24 16.40 EET	Christian Pöschl of usd AG Responsible Disclosure Team Did send detailed report!	Security: Non-Admin could change to Admin Affected Wekan v6.85 and earlier Fixed at Wekan v6.86 2023-04-26 More details
-	InvisibleBleed	2023-04-24 03.35 EET	Someone at chat Sent report and disappeared.	Security: HTML comments not visible Affected Wekan v6.85 and earlier Fixed at Wekan v6.86 2023-04-26 More details
CVE-2023-31779	ReactionBleed	2023-02-28 12.36 EET	Alexander Starikov at Jet Infosystems Did send detailed report and fix!	Security: XSS in feature "Reaction to comment" Affected Wekan v5.49 - v6.84 Fixed at Wekan v6.85 2023-04-18 More details
-	Filebleed	2023-02-16 17.35 EET	SEC Consult, an Atos company Did send detailed report!	Security: XSS in filename Affected Wekan v6.74 and earlier Fixed at Wekan v6.75 2023-02-21 More details
-	Emailbleed	2021-01-26 12.42 EET	Georg Krause Did send detailed report!	Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks Affected Wekan v1.59-v4.98 Fixed at Wekan v4.99 2021-02-25 More details
CVE-2021-3309	LDAPbleed	2021-01-26 0:42 EET	robert-scheck Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure	Security: SSL/TLS certificate validation for LDAP disabled by default Affected Wekan v1.53.1-v4.87 Fixed at Wekan v4.88 2021-01-28 More details
-	DUEbleed	2021-01-11 EET	xet7 - maintainer of Wekan Did not notice security issue originally when merging new feature from pull request. Did fix issue when finally noticed it at production at Wekan demo server.	Due Cards and Broken Cards: As Admin user, at All Users view of Due Cards and Broken Cards, fixed to not show cards from other users private boards. This affected only logged in Admin user, not logged in other users. Affected Wekan v4.73-v4.74 Fixed at Wekan v4.75 2021-01-11 More details
VRF#20-08-SGSSC.	Bypassbleed	2020-02-26 01:36 EET	Dejan Zelic, Justin Benjamin and others at Offensive Security Did send detailed report and helped fixing!	Auth Bypass Unauthenticated SSRF DoS Unauthenticated Username Change Unauthenticated Os Statistics Affected Wekan v0.7-v3.80 Fixed at Wekan v3.81 2020-03-01 More details
VRF#20-08-DDFJJ.	Userbleed	2018-06-12	Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH Did send detailed report and fix!	User data is published unconditionally Sessions can be taken over Affected Wekan v0.11.1-rc2 - v1.03 Fixed at Wekan v1.04 2018-06-12 More details
CVE-2018-1000549, In Progress Update Request 938446	Brutebleed	2018-06-12	Shadow Vault Did not report to Wekan, was found later from CVE	Email / Username Enumeration Affected Wekan v1.04-v2.43 Fixed at Wekan v2.44 2019-03-11. More details
VRF#20-08-LZGVF.	Framebleed	2018-03-25	Team Did send detailed report!	Cross Frame Scripting Clickjacking Improper Cache Control Affected Wekan v0.7-v0.79 More details