Command Injection Vulnerability in Wekan Kanban by Wekan Team
CVE-2026-52891

9.9CRITICAL

Key Information:

Vendor

Wekan

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-52891?

Wekan, an open-source kanban application built with Meteor, has a vulnerability in its avatar upload functionality prior to version 9.07. This vulnerability allows user-supplied filenames to be embedded into command paths that are executed by the server for MIME-type detection. Specifically, the use of shell commands for processing these filenames means that malicious attackers can exploit shell metacharacters like backticks and $() to execute arbitrary commands on the server. This critical issue was addressed in version 9.07, and users are strongly urged to upgrade to this version or later to mitigate the risk.

Affected Version(s)

wekan < 9.07

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.