{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1897", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-04T14:46:27.111Z", "datePublished": "2026-02-05T00:02:07.858Z", "dateUpdated": "2026-02-05T15:45:10.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-05T00:02:07.858Z"}, "title": "WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "Missing Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "Incorrect Authorization"}]}], "affected": [{"vendor": "n/a", "product": "WeKan", "versions": [{"version": "8.0", "status": "affected"}, {"version": "8.1", "status": "affected"}, {"version": "8.2", "status": "affected"}, {"version": "8.3", "status": "affected"}, {"version": "8.4", "status": "affected"}, {"version": "8.5", "status": "affected"}, {"version": "8.6", "status": "affected"}, {"version": "8.7", "status": "affected"}, {"version": "8.8", "status": "affected"}, {"version": "8.9", "status": "affected"}, {"version": "8.10", "status": "affected"}, {"version": "8.11", "status": "affected"}, {"version": "8.12", "status": "affected"}, {"version": "8.13", "status": "affected"}, {"version": "8.14", "status": "affected"}, {"version": "8.15", "status": "affected"}, {"version": "8.16", "status": "affected"}, {"version": "8.17", "status": "affected"}, {"version": "8.18", "status": "affected"}, {"version": "8.19", "status": "affected"}, {"version": "8.20", "status": "affected"}, {"version": "8.21", "status": "unaffected"}], "modules": ["Position-History Tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-04T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-04T15:51:41.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MegaManSec (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344269", "name": "VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.344269", "name": "VDB-344269 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.742671", "name": "Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60", "tags": ["patch"]}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.21", "tags": ["patch"]}, {"url": "https://github.com/wekan/wekan/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T15:45:02.879394Z", "id": "CVE-2026-1897", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:45:10.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1897", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T15:45:02.879394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:45:06.807Z"}}], "cna": {"tags": ["x_open-source"], "title": "WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization", "credits": [{"lang": "en", "type": "reporter", "value": "MegaManSec (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["Position-History Tracking"], "product": "WeKan", "versions": [{"status": "affected", "version": "8.0"}, {"status": "affected", "version": "8.1"}, {"status": "affected", "version": "8.2"}, {"status": "affected", "version": "8.3"}, {"status": "affected", "version": "8.4"}, {"status": "affected", "version": "8.5"}, {"status": "affected", "version": "8.6"}, {"status": "affected", "version": "8.7"}, {"status": "affected", "version": "8.8"}, {"status": "affected", "version": "8.9"}, {"status": "affected", "version": "8.10"}, {"status": "affected", "version": "8.11"}, {"status": "affected", "version": "8.12"}, {"status": "affected", "version": "8.13"}, {"status": "affected", "version": "8.14"}, {"status": "affected", "version": "8.15"}, {"status": "affected", "version": "8.16"}, {"status": "affected", "version": "8.17"}, {"status": "affected", "version": "8.18"}, {"status": "affected", "version": "8.19"}, {"status": "affected", "version": "8.20"}, {"status": "unaffected", "version": "8.21"}]}], "timeline": [{"lang": "en", "time": "2026-02-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-04T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-04T15:51:41.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344269", "name": "VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.344269", "name": "VDB-344269 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.742671", "name": "Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60", "tags": ["patch"]}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.21", "tags": ["patch"]}, {"url": "https://github.com/wekan/wekan/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "Incorrect Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-05T00:02:07.858Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1897", "state": "PUBLISHED", "dateUpdated": "2026-02-05T15:45:10.117Z", "dateReserved": "2026-02-04T14:46:27.111Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-05T00:02:07.858Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component."}], "id": "CVE-2026-1897", "lastModified": "2026-02-05T14:57:20.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-02-05T01:15:52.450", "references": [{"source": "[email protected]", "url": "https://github.com/wekan/wekan/"}, {"source": "[email protected]", "url": "https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60"}, {"source": "[email protected]", "url": "https://github.com/wekan/wekan/releases/tag/v8.21"}, {"source": "[email protected]", "url": "https://vuldb.com/?ctiid.344269"}, {"source": "[email protected]", "url": "https://vuldb.com/?id.344269"}, {"source": "[email protected]", "url": "https://vuldb.com/?submit.742671"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

{}