Project Management

In Kanboard versions 1.2.45 and prior a medium severity vulnerability CVE-2025-52576 was detected. This vulnerability allows attackers to enumerate valid usernames and bypass IP-based brute-force protection mechanisms such as Fail2Ban or CAPTCHA by abusing trusted HTTP headers and analyzing login behavior. This puts user accounts at higher risk of credential stuffing and brute-force attacks. To address this issue, users should upgrade Kanboard to version 1.2.46. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52576.

In Kanboard versions prior to 1.2.46 a high severity vulnerability CVE-2025-52560 was detected. This vulnerability allows attackers to craft malicious password reset links by exploiting an unvalidated Host header when the application_url configuration is unset, potentially leading to account takeover. To address this issue, users should upgrade Kanboard to versions 1.2.46 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52560.

In Kanboard versions 1.2.26 through 1.2.44 a low severity vulnerability CVE-2025-46825 was detected. This vulnerability allows attackers to inject malicious scripts via the `name` parameter in the project creation form, potentially executing them in web pages viewed by other users if content security policies are misconfigured. To address this issue, users should upgrade Kanboard to versions 1.2.45. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46825.

In Redmine versions 6.0.0 through 6.0.3 a medium severity vulnerability CVE-2025-4011 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) via manipulation of the “Name” argument in the Custom Query Handler. To address this issue, users should upgrade Redmine to versions 6.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4011.

In Kanboard versions 1.2.48 and below a critical severity vulnerability CVE-2026-21881 was detected. This vulnerability allows attackers to bypass authentication and impersonate any user, including administrators, by sending spoofed HTTP headers when REVERSE_PROXY_AUTH is enabled, as the application does not verify that requests originate from a trusted reverse proxy. To address this issue, users should upgrade Kanboard to version 1.2.49. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21881.

In Kanboard versions 1.2.48 and below a medium severity vulnerability CVE-2026-21880 was detected. This vulnerability allows attackers to exploit improper input sanitization in the LDAP authentication mechanism to perform LDAP injection, enabling user enumeration and disclosure of sensitive LDAP user attributes. To address this issue, users should upgrade Kanboard to version 1.2.49. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21880.

In Kanboard versions 1.2.48 and below a medium severity vulnerability CVE-2026-21879 was detected. This vulnerability allows attackers to perform open redirect attacks by abusing protocol-relative URLs (e.g., //evil.com) that bypass URL validation, redirecting authenticated users to attacker-controlled websites. To address this issue, users should upgrade Kanboard to version 1.2.49. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21879.

In Kanboard versions prior to 1.2.43 a medium severity vulnerability CVE-2024-55603 was detected. This vulnerability allows attackers to use expired sessions as they remain valid due to improper verification of session lifetime in the database. To address this issue, users should upgrade Kanboard to version 1.2.43. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55603.

In Kanboard version 1.2.40 a medium severity vulnerability CVE-2024-54001 was detected. This vulnerability allows attackers to inject malicious HTML or JavaScript into the application, potentially leading to unauthorized actions or data theft. To fix this issue, users should upgrade Kanboard to version 1.2.41. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-54001.