Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.

INFO

Published Date :

2026-02-11T20:43:19.575Z

Last Modified :

2026-02-12T21:18:27.186Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25924 vulnerability.

Vendors Products
Kanboard
  • Kanboard
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25924.

URL Resource
https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4 cve-icon cve-icon
https://github.com/kanboard/kanboard/releases/tag/v1.2.50 cve-icon cve-icon
https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact