CVE-2026-41455

MEDIUM EPSS 14.4%

Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago

6.3 CVSS 4.0

Medium

Published Apr 22, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

CVSS Details

Base Score

6.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

14.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

References 3

github.com https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4
github.com https://github.com/wekan/wekan/releases/tag/v8.35
vulncheck.com https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.