CVE-2025-55010

HIGH EPSS 54.2%
Published Aug 12, 202510mo ago · Modified Jun 17, 20261w ago
7.2 CVSS 3.1
High
Find Similar
Published Aug 12, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

CVSS Details

Base Score
7.2
Exploitability
1.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
54.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
kanboardkanboard* <1.2.47

References 3

  • github.com https://github.com/kanboard/kanboard/blob/b033c0e0f982f8158e240bce8ab54c29727f8efe/app/Formatter/ProjectActivityEventFormatter.php#L43-L57
    Product
  • github.com https://github.com/kanboard/kanboard/commit/7148ac092e5db6b33e0fc35e04bca328d96c1f6f
    Patch
  • github.com https://github.com/kanboard/kanboard/security/advisories/GHSA-359x-c69j-q64r
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/kanboard/kanboard/commit/7148ac092e5db6b33e0fc35e04bca328d96c1f6f
    Patch