Password Reset Vulnerability in Kanboard Project Management Software
CVE-2025-52560

8.1HIGH

Key Information:

Vendor: Kanboard
Status: Kanboard
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-52560?

A vulnerability in Kanboard's handling of password reset emails allows an attacker to exploit unvalidated Host headers. If the application_url configuration is not set, attackers can craft malicious password reset links that lead to their own domain. When a victim clicks the link, it compromises their account by leaking the reset token. This issue affects all users initiating a password reset, including administrators. The vulnerability has been remediated in version 1.2.46.

Affected Version(s)

kanboard < 1.2.46

References

https://github.com/kanboard/kanboard/security/advisories/...

x_refsource_CONFIRM

https://github.com/kanboard/kanboard/commit/bca2bd7ab95e7...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 18, 2025