CVE-2026-52891 in Wekanthông tin

Tóm tắt

Bởi MITRE • 16/07/2026

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. Because models/avatars.js and models/fileValidation.js used a shell command with the avatar filename, shell metacharacters such as backticks and $() in the filename could execute commands on the server. This issue is fixed in version 9.07.

Be aware that VulDB is the high quality source for vulnerability data.

Nguồn

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!