Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / InputBleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
- InputBleed

2026-06-18 EET GitHub CodeQL (code scanning alert #421)
xet7 - maintainer of Wekan and Claude (fix)

Automated code scanning flagged the incomplete multi-character sanitization, which was then fixed.
  • InputBleed — Incomplete multi-character HTML sanitization allowed HTML/script element injection (CWE-79 Cross-site Scripting, CWE-80 Improper Neutralization of Script-Related HTML Tags, CWE-116 Improper Encoding or Escaping of Output).
  • GitHub CodeQL code scanning alert #421, rule js/incomplete-multi-character-sanitization, severity High.
  • stripHtml() in client/lib/importDependencies.js removed HTML tags with a single pass of /<[^>]*>/g. This is an incomplete multi-character sanitization in two ways: (1) a dangling, unclosed tag that has no closing > — for example a trailing <script or <svg/onload=... — is never matched by the regex at all and survives untouched, leaving <script in the output (exactly what the scanner warned about); and (2) removing one match can splice the surrounding text into a new match. A crafted card-dependency ("Red Strings") import file — the WeKan/generic JSON or Miro item titles and connector captions that pass through stripHtml — could therefore smuggle an HTML/script fragment past the sanitizer.
  • Fixed by looping the tag-stripping replacement to a fixed point and then removing any remaining stray </> characters, so neither a complete nor a partial tag can remain.
  • Fixed at Wekan v9.52 2026-06-18 (see CHANGELOG)
  • Fixed code


Timeline Details
2026-06-16 GitHub CodeQL code scanning first detected the incomplete multi-character sanitization (js/incomplete-multi-character-sanitization) in client/lib/importDependencies.js on branch main, raising alert #421 (severity High).
2026-06-18 Fixed by xet7 and Claude by looping the tag-stripping replacement to a fixed point and then removing any remaining stray </> characters in stripHtml(), and released in Wekan v9.52 2026-06-18.


Back to Hall of Fame Contents Back to Wekan Website