CVE-2025-55011 MEDIUM

CVE-2025-55011: Kanboard Path Traversal in File Write via Task File Upload Api

Vendor Kanboard
Product kanboard
Weakness CWE-22 · Path traversal
Published August 12, 2025
Last update August 12, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
August 12, 2025 Record updated