CVE-2026-25924
HIGH
CVSS 8.4
No EPSS data
Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-25924",
"cveTags": [],
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-25924",
"role": "CISA Coordinator",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"version": "2.0.3",
"timestamp": "2026-02-12T21:18:20.841412Z"
}
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 8.4,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "HIGH",
"confidentialityImpact": "HIGH"
},
"impactScore": 6,
"exploitabilityScore": 1.7
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 8.4,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "HIGH",
"confidentialityImpact": "HIGH"
},
"impactScore": 6,
"exploitabilityScore": 1.7
}
]
},
"affected": [
{
"source": "security-advisories@github.com",
"affectedData": [
{
"vendor": "kanboard",
"product": "kanboard",
"versions": [
{
"status": "affected",
"version": "< 1.2.50"
}
]
}
]
}
],
"published": "2026-02-11T21:16:19.283",
"references": [
{
"url": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4",
"tags": [
"Patch"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50",
"tags": [
"Product",
"Release Notes"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50."
},
{
"lang": "es",
"value": "Kanboard es un software de gesti\u00f3n de proyectos centrado en la metodolog\u00eda Kanban. Antes de la 1.2.50, una vulnerabilidad de omisi\u00f3n de control de seguridad en Kanboard permite a un administrador autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo (RCE) completa. Aunque la aplicaci\u00f3n oculta correctamente la interfaz de instalaci\u00f3n de plugins cuando la configuraci\u00f3n PLUGIN_INSTALLER est\u00e1 establecida en falso, el endpoint de backend subyacente no verifica esta configuraci\u00f3n de seguridad. Un atacante puede explotar este descuido para forzar al servidor a descargar e instalar un plugin malicioso, lo que lleva a la ejecuci\u00f3n de c\u00f3digo arbitrario. Esta vulnerabilidad est\u00e1 corregida en la 1.2.50."
}
],
"lastModified": "2026-06-17T10:25:26.150",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE",
"versionEndExcluding": "1.2.50"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}