{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T16:13:15.662","vulnerabilities":[{"cve":{"id":"CVE-2026-25567","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-02-07T22:16:02.333","lastModified":"2026-02-10T21:56:33.353","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier."},{"lang":"es","value":"Las versiones de WeKan anteriores a la 8.19 contienen una referencia directa insegura a objetos (IDOR) en la API de creación de comentarios de tarjetas. El endpoint acepta un authorId del cuerpo de la solicitud, permitiendo a un usuario autenticado suplantar al autor del comentario registrado al proporcionar el identificador de otro usuario."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*","versionEndExcluding":"8.19","matchCriteriaId":"BE76E9D8-332F-4A27-9690-CEEF9504B520"}]}]}],"references":[{"url":"https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d","source":"disclosure@vulncheck.com","tags":["Patch"]},{"url":"https://wekan.fi/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}