CVE-2026-25924
HIGH WAF: Low
CVSS 8.4
Published: 2026-02-11
CWE-863
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| kanboard | kanboard | up to 1.2.50 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Exploit, Mitigation, Vendor Advisory)