CVE-2026-21879 MEDIUM

CVE-2026-21879: Kanboard vulnerable to Open Redirect via protocol-relative URLs

Vendor Kanboard
Product kanboard
Weakness CWE-601 · Open redirect
Published January 8, 2026
Last update January 8, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated