View at Official debian advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2026-25924 not yet assigned priority: Debian including 1 source packages (kanboard), 1 status rows across 1 suites (sid): resolved 1.
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.