CVE-2026-2205

Published: Feb 8, 2026Modified: Feb 11, 2026

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised.

Affected (1)

Products: Wekan Project: Wekan

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wekan Project Wekan	Before 8.21

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://github.com/wekan/wekan/

Source: cna@vuldb.com

Product

https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f

Source: cna@vuldb.com

Patch

https://github.com/wekan/wekan/releases/tag/v8.21

Source: cna@vuldb.com

ProductRelease Notes

https://vuldb.com/?ctiid.344919

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.344919

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.752161

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

Timeline

No history available yet.