Stored Cross-Site Scripting Vulnerability in Kanboard Project Management Software
CVE-2025-46825

1.3LOW

Key Information:

Vendor

Kanboard

Status
Kanboard
Vendor
CVE Published:
12 May 2025

What is CVE-2025-46825?

The Kanboard project management software has a vulnerability that allows attackers to perform Stored Cross-Site Scripting (XSS) through manipulation of the 'name' parameter in the Project Creation form. This vulnerability affects Kanboard versions 1.2.26 through 1.2.44, where improperly configured content security policies can expose users to malicious scripts embedded in web pages. While a default content security policy may mitigate this risk, misconfigurations can lead to exploitation. Users are advised to upgrade to Kanboard version 1.2.45 or later, which includes a fix for this vulnerability to enhance security against potential script injections.

Affected Version(s)

kanboard >= 1.2.26, < 1.2.45

References

https://github.com/kanboard/kanboard/security/advisories/...
x_refsource_CONFIRM
https://github.com/kanboard/kanboard/commit/6ebf22eeaae9f...
x_refsource_MISC
https://github.com/kanboard/kanboard/commit/ac94004ea9fc4...
x_refsource_MISC

CVSS V4

Score:
1.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-46825 : Stored Cross-Site Scripting Vulnerability in Kanboard Project Management Software