Unsafe Deserialization in Kanboard Project Management Software
CVE-2025-55010

9.1CRITICAL

Key Information:

Vendor

Kanboard

Status
Kanboard
Vendor
CVE Published:
12 August 2025

What is CVE-2025-55010?

Kanboard, a project management software that employs the Kanban methodology, is susceptible to an unsafe deserialization flaw in the ProjectEventActvityFormatter component. This vulnerability allows admin users to manipulate the event['data'] field within the project_activities table, potentially enabling malicious actors to instantiate arbitrary PHP objects. By exploiting this vulnerability, a threat actor can inject a PHP gadget to place a malicious web shell in the /plugins directory, permitting remote code execution on the host system. The issue has been resolved in version 1.2.47.

Affected Version(s)

kanboard < 1.2.47

References

https://github.com/kanboard/kanboard/security/advisories/...
x_refsource_CONFIRM
https://github.com/kanboard/kanboard/commit/7148ac092e5db...
x_refsource_MISC
https://github.com/kanboard/kanboard/blob/b033c0e0f982f81...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.