Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to WeKan Website


Note: If some security researcher gets CVE number for any of these, please send that number to support at wekan.team . Thanks!

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
TODO SocialBleed

2023-05-11 19.14 EET Rajesh Thapa

Did send detailed report!
  • Security: Links to Social Media at wekan.github.io could lead to theft of sensitive information
  • Affected Wekan website before 2024-05-12 05.34 EET
  • Fixed at Wekan website 2023-05-12 05.34 EET
  • More details
TODO AdminBleed

2023-04-24 16.40 EET Christian Pöschl of usd AG Responsible Disclosure Team

Did send detailed report!
  • Security: Non-Admin could change to Admin
  • Affected Wekan v6.85 and earlier
  • Fixed at Wekan v6.86 2023-04-26
  • More details
TODO InvisibleBleed

2023-04-24 03.35 EET Someone at chat

Sent report and disappeared.
  • Security: HTML comments not visible
  • Affected Wekan v6.85 and earlier
  • Fixed at Wekan v6.86 2023-04-26
  • More details
CVE-2023-31779 ReactionBleed

2023-02-28 12.36 EET Alexander Starikov at Jet Infosystems

Did send detailed report and fix!
TODO Filebleed

2023-02-16 17.35 EET SEC Consult, an Atos company

Did send detailed report!
TODO Emailbleed

2021-01-26 12.42 EET Georg Krause

Did send detailed report!
  • Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks
  • Affected Wekan v1.59-v4.98
  • Fixed at Wekan v4.99 2021-02-25
  • More details
CVE-2021-3309 LDAPbleed

2021-01-26 0:42 EET robert-scheck

Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure

2021-01-11 EET xet7 - maintainer of Wekan

Did not notice security issue originally when merging new feature from pull request. Did fix issue when finally noticed it at production at Wekan demo server.
  • Due Cards and Broken Cards: As Admin user, at All Users view of Due Cards and Broken Cards, fixed to not show cards from other users private boards. This affected only logged in Admin user, not logged in other users.
  • Affected Wekan v4.73-v4.74
  • Fixed at Wekan v4.75 2021-01-11
  • More details

VRF#20-08-MDPNJ. VN: JVN#80785288 for attachments.

New report JVN#74210258, investigating

JVN#80785288 2020-03-23 17.03 EET
JVN#74210258 2022-05-23 13.33 EET
Cyb3rjunky and swsjona about input fields. Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. (https://www.mbsd.jp/) about Javascript inside .SVG attachment

Did send detailed report!
VRF#20-08-SGSSC. Bypassbleed

2020-02-26 01:36 EET Dejan Zelic, Justin Benjamin and others at Offensive Security

Did send detailed report and helped fixing!
  • Auth Bypass
  • Unauthenticated SSRF
  • DoS
  • Unauthenticated Username Change
  • Unauthenticated Os Statistics
  • Affected Wekan v0.7-v3.80
  • Fixed at Wekan v3.81 2020-03-01
  • More details
VRF#20-08-DDFJJ. Userbleed

2018-06-12 Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH

Did send detailed report and fix!
In Progress Update Request 938446

2018-06-12 Shadow Vault

Did not report to Wekan, was found later from CVE
VRF#20-08-LZGVF. Framebleed

2018-03-25 Team

Did send detailed report!
  • Cross Frame Scripting
  • Clickjacking
  • Improper Cache Control
  • Affected Wekan v0.7-v0.79
  • More details