CVE-2026-2205
WeKan Meteor Publication cards.js CardPubSubBleed information disclosure
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised.
| CWE | CWE-200 CWE-284 |
| Vendor | n/a |
| Product | wekan |
| Published | Feb 8, 2026 |
| Last Updated | Feb 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for n/a wekan
Be the first to know when new medium vulnerabilities affecting n/a wekan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
n/a / WeKan
8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20
References
vuldb.com: https://vuldb.com/?id.344919 vuldb.com: https://vuldb.com/?ctiid.344919 vuldb.com: https://vuldb.com/?submit.752161 github.com: https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f github.com: https://github.com/wekan/wekan/releases/tag/v8.21 github.com: https://github.com/wekan/wekan/
Credits
๐ MegaManSec (VulDB User)