{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T19:00:47.976","vulnerabilities":[{"cve":{"id":"CVE-2026-24885","sourceIdentifier":"security-advisories@github.com","published":"2026-02-10T17:16:20.940","lastModified":"2026-02-13T20:19:00.370","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50."},{"lang":"es","value":"Kanboard es un software de gestión de proyectos centrado en la metodología Kanban. Antes de la versión 1.2.50, existe una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el ProjectPermissionController dentro de la aplicación Kanboard. La aplicación no logra aplicar estrictamente el Content-Type application/json para la acción changeUserRole. Aunque el cuerpo de la petición es JSON, el servidor acepta text/plain, permitiendo a un atacante crear un formulario malicioso usando el atributo text/plain. Lo que permite la modificación no autorizada de los roles de usuario del proyecto si un administrador autenticado visita un sitio malicioso. Esta vulnerabilidad está corregida en la versión 1.2.50."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.50","matchCriteriaId":"C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE"}]}]}],"references":[{"url":"https://github.com/kanboard/kanboard/commit/2c56d92783d4a3094812c2f7cba50f80a372f95e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/kanboard/kanboard/releases/tag/v1.2.50","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-582j-h4w4-hwr5","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-582j-h4w4-hwr5","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}