CVE-2026-25531

Published: Feb 13, 2026

Modified: Feb 13, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.

Vendor	Product	Versions
kanboard	kanboard	affected `< 1.2.50`

Weaknesses (CWE)

CWE-862

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9

x_refsource_CONFIRM

https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d

x_refsource_MISC

https://github.com/kanboard/kanboard/releases/tag/v1.2.50

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-25531

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References