SSRF in Wekan
CVE-2026-41455
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or mo…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N.
Affected products
- Wekan — versions 0, 2cd702f48df2b8aef0e7381685f8e089986a18a4
Weakness classification (CWE)
References
- disclosure@vulncheck.com (release-notes)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)
Frequently asked questions
- What is CVE-2026-41455?
- CVE-2026-41455 is a high-severity vulnerability in Wekan, classified under Server-Side Request Forgery (SSRF). CVSS score: 8.5/10. Published 2026-04-22.
- How severe is CVE-2026-41455?
- High severity. CVSS v3 base score is 8.5 out of 10.