6.9
CVE-2026-2117 - itsourcecode Society Management System edit_activity.php sql injection
A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made β¦
6.9
CVE-2026-2116 - itsourcecode Society Management System edit_expenses.php sql injection
A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to tβ¦
6.9
CVE-2026-2115 - itsourcecode Society Management System delete_expenses.php sql injection
A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published β¦
6.9
CVE-2026-2114 - itsourcecode Society Management System edit_admin.php sql injection
A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be usβ¦
7.1
CVE-2026-25859 - WeKan < 8.20 Migration Functionality Insufficient Permission Checks
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
7.1
CVE-2026-25568 - WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
5.3
CVE-2026-25567 - WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
7.1
CVE-2026-25566 - WeKan < 8.19 Cross-board Card Move Without Destination Authorization
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enablinβ¦
7.1
CVE-2026-25565 - WeKan < 8.19 Read-only Board Roles Can Update Cards
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
7.1
CVE-2026-25564 - WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.