CVE-2025-55011
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
12/08/2025
Last modified:
22/08/2025
Description
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47.
Impact
Base Score 3.x
6.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:* | 1.2.47 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/kanboard/kanboard/blob/b2e35ac520add67cff792aab960b3c002c48e3d0/app/Api/Procedure/TaskFileProcedure.php#L47-L57
- https://github.com/kanboard/kanboard/commit/523a6135e944b6884c091a3fd7605af8ef133681
- https://github.com/kanboard/kanboard/security/advisories/GHSA-26f4-rx96-xc55
- https://github.com/kanboard/kanboard/security/advisories/GHSA-26f4-rx96-xc55