Command Injection Vulnerability in Wekan Kanban by Wekan Team
CVE-2026-52891
9.9CRITICAL
What is CVE-2026-52891?
Wekan, an open-source kanban application built with Meteor, has a vulnerability in its avatar upload functionality prior to version 9.07. This vulnerability allows user-supplied filenames to be embedded into command paths that are executed by the server for MIME-type detection. Specifically, the use of shell commands for processing these filenames means that malicious attackers can exploit shell metacharacters like backticks and $() to execute arbitrary commands on the server. This critical issue was addressed in version 9.07, and users are strongly urged to upgrade to this version or later to mitigate the risk.
Affected Version(s)
wekan < 9.07
