Package: kanboard X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for kanboard. CVE-2026-33058[0]: | Kanboard is project management software focused on Kanban | methodology. Versions prior to 1.2.51 have an authenticated SQL | injection vulnerability. Attackers with the permission to add users | to a project can leverage this vulnerability to dump the entirety of | the kanboard database. Version 1.2.51 fixes the issue. https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh CVE-2026-29056[1]: | Kanboard is project management software focused on Kanban | methodology. Prior to 1.2.51, Kanboard's user invite registration | endpoint (`UserInviteController::register()`) accepts all POST | parameters and passes them to `UserModel::create()` without | filtering out the `role` field. An attacker who receives an invite | link can inject `role=app-admin` in the registration form to create | an administrator account. Version 1.2.51 fixes the issue. https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33058 https://www.cve.org/CVERecord?id=CVE-2026-33058 [1] https://security-tracker.debian.org/tracker/CVE-2026-29056 https://www.cve.org/CVERecord?id=CVE-2026-29056 Please adjust the affected versions in the BTS as needed.
