CVE-2026-58660 in KanboardИнформация

Сводка

по MITRE • 15.07.2026

Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.

Be aware that VulDB is the high quality source for vulnerability data.

Ответственный

VulnCheck

Резервировать

01.07.2026

Раскрытие

15.07.2026

Модерация

принято

Вход

VDB-379344

EPSS

0.00000

KEV

Нет

Деятельности

Очень низкий

Источники

Do you want to use VulDB in your project?

Use the official API to access entries easily!