CVE-2025-55010 CRITICAL

CVE-2025-55010: Kanboard Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events

Vendor Kanboard

Product kanboard

Weakness CWE-502 · Unsafe deserialization

Published August 12, 2025

Last update August 12, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

Key dates

02Disclosure timeline

August 12, 2025 CVE published

August 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-55010 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2024-4044 Deserialization of Untrusted Data Vulnerability in FlexLogger and InstrumentStudio CVE-2023-51422 WordPress WebinarIgnition Plugin <= 3.05.0 is vulnerable to PHP Object Injection CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM CVE-2024-2008 Modal Popup Box – Popup Builder, Show Offers And News in Popup <= 1.5.2 - Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode CVE-2025-15348 Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability