{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T11:47:41.713","vulnerabilities":[{"cve":{"id":"CVE-2025-52576","sourceIdentifier":"security-advisories@github.com","published":"2025-06-25T17:15:39.023","lastModified":"2025-08-22T18:23:53.877","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue."},{"lang":"es","value":"Kanboard es un software de gestión de proyectos centrado en la metodología Kanban. Antes de la versión 1.2.46, Kanboard era vulnerable a la enumeración de nombres de usuario y a la elusión de la protección por fuerza bruta basada en suplantación de IP. Al analizar el comportamiento de inicio de sesión y abusar de los encabezados HTTP de confianza, un atacante puede determinar nombres de usuario válidos y eludir los mecanismos de limitación o bloqueo. Cualquier organización que ejecute una instancia de Kanboard de acceso público se ve afectada, especialmente si utiliza protecciones basadas en IP como Fail2Ban o CAPTCHA para la limitación de la tasa de inicio de sesión. Los atacantes con acceso a la página de inicio de sesión pueden explotar esta vulnerabilidad para enumerar nombres de usuario válidos y eludir los mecanismos de bloqueo basados en IP, lo que aumenta el riesgo de ataques de fuerza bruta o robo de credenciales. La versión 1.2.46 incluye un parche para solucionar este problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-203"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.46","matchCriteriaId":"E6D20FE2-A681-49ED-B6E6-1218CDDD6759"}]}]}],"references":[{"url":"https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Model/UserLockingModel.php#L101-L104","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Subscriber/AuthSubscriber.php#L96-L108","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/kanboard/kanboard/commit/3079623640dc39f9c7b0c840d2a79095331051f1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Vendor Advisory"]}]}}]}