CVE-2026-41455 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: April 22, 2026
WeKan - Server-Side Request Forgery & Data Tampering
Published: April 22, 2026Updated: April 22, 2026Remote Exploitable
Overview
WeKan < 8.35 contains a server-side request forgery caused by lack of protocol restriction and destination validation in webhook integration URL handling, letting attackers create or modify integrations to send HTTP POST requests to internal targets and overwrite comments, exploit requires ability to create or modify integrations.
Severity & Score
Severity: High
CVSS Score: 8.5
Impact
Attackers can send HTTP requests to internal network targets and overwrite arbitrary comment text, potentially leading to unauthorized data manipulation and internal network access.
Mitigation
Update to version 8.35 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41455
- Severity
- High
- CVSS Score
- 8.5
- Type
- server_side_request_forgery
- Status
- new
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N