CVE-2026-33058 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: March 18, 2026
Kanboard - SQL Injection
Published: March 18, 2026Updated: March 18, 2026PoC AvailableRemote Exploitable
Overview
Kanboard < 1.2.51 contains an authenticated SQL injection caused by improper input sanitization in user addition functionality, letting attackers with project user addition permission dump the entire database, exploit requires authenticated user with add user permission.
Severity & Score
Severity: Medium
CVSS Score: 6.5
EPSS Score: 3.1%(Probability of exploitation in next 30 days)
Impact
Attackers can dump the entire Kanboard database, exposing all stored data.
Mitigation
Upgrade to version 1.2.51 or later.
Social Media Activity(1 post)
/r/netsec
@_r_netsec
Kanboard Authenticated SQL Injection CVE-2026-33058 Writeup https://0dave.ch/posts/cve-2026-33058/
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33058
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 3.1%
- Social Posts
- 1
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
3.1%Probability of exploitation in the next 30 days