{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41455", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T21:09:30.241Z", "dateUpdated": "2026-04-23T13:36:27.828Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T21:12:51.311Z"}, "title": "WeKan < 8.35 SSRF via Webhook URL", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "wekan", "product": "wekan", "repo": "https://github.com/wekan/wekan", "versions": [{"status": "affected", "version": "0", "lessThan": "8.35.0", "versionType": "semver"}, {"status": "unaffected", "version": "2cd702f48df2b8aef0e7381685f8e089986a18a4", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "WeKan before\u00a08.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "WeKan before&nbsp;8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.<br>"}]}], "references": [{"url": "https://github.com/wekan/wekan/releases/tag/v8.35", "tags": ["release-notes"]}, {"url": "https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Rodolphe GHIO", "type": "finder"}, {"lang": "en", "value": "xet7", "type": "remediation developer"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:36:00.502564Z", "id": "CVE-2026-41455", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:36:27.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T13:36:00.502564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:36:17.321Z"}}], "cna": {"title": "WeKan < 8.35 SSRF via Webhook URL", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rodolphe GHIO"}, {"lang": "en", "type": "remediation developer", "value": "xet7"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/wekan/wekan", "vendor": "wekan", "product": "wekan", "versions": [{"status": "affected", "version": "0", "lessThan": "8.35.0", "versionType": "semver"}, {"status": "unaffected", "version": "2cd702f48df2b8aef0e7381685f8e089986a18a4", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/wekan/wekan/releases/tag/v8.35", "tags": ["release-notes"]}, {"url": "https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "WeKan before\u00a08.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.", "supportingMedia": [{"type": "text/html", "value": "WeKan before&nbsp;8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T21:12:51.311Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41455", "state": "PUBLISHED", "dateUpdated": "2026-04-23T13:36:27.828Z", "dateReserved": "2026-04-20T16:07:47.310Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-22T21:09:30.241Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WeKan before\u00a08.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks."}], "id": "CVE-2026-41455", "lastModified": "2026-04-23T16:27:11.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T22:16:32.677", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/wekan/wekan/releases/tag/v8.35"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.35.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "2cd702f48df2b8aef0e7381685f8e089986a18a4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wekan", "source": "cna", "vendor": "wekan"}, "product": "wekan", "vendor": "wekan"}], "analysis": {"en": {"generated_at": "2026-04-27T08:22:50.052238+00:00", "value": {"mitigation_remediation": ["Apply the latest WeKan release\u00a08.35 or later to resolve the SSRF and comment overwrite issue. ", "If an update cannot be performed immediately, restrict the allowable webhook URL schemes to \"http\" and \"https\" and enforce hostname validation to prevent requests to internal addresses. ", "Monitor integration configurations and audit any unauthorized changes to webhook URLs to detect potential misuse. "], "summary": {"action": "Immediate Patch", "impact": "SSRF that can access internal network and modify comments"}, "threat_synthesis": {"affected_systems": "WeKan products running any version before\u00a08.35 are affected. The vulnerability is present in all releases prior to the\u00a08.35 release, which introduced proper validation of webhook URLs.", "description_and_impact": "WeKan prior to version\u00a08.35 has a server\u2011side request forgery flaw in the webhook integration URL handling. The URL schema field accepts any string without protocol restriction or destination validation, allowing an attacker who can create or modify integrations to set webhook URLs that point to internal network addresses. When a board event triggers, the server makes an HTTP POST request to the attacker\u2011controlled internal target, sending the full event payload. The response from that target can then be used to overwrite any comment text on the board without authentication checks.", "risk_and_exploitability": "The CVSS score of\u00a06.3 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to add or edit webhook integrations, a privilege that may be granted to board\u2011owners or higher\u2011level users. Once enabled, an attacker can harvest internal network information and alter board comments, potentially leading to data exfiltration and content tampering. The likelihood of exploitation depends on the setup; internal\u2011only targets mitigate external exposure, but the lack of protocol or destination checks makes any internal service reachable from the server."}}}}, "created": "2026-04-27T18:42:00.078026+00:00", "updated": "2026-04-27T19:30:11.877118+00:00", "vendors": ["wekan", "wekan$PRODUCT$wekan"]}