CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59154

mediumCVSS 4.3covered by 1 sourcefirst seen 2026-07-10
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

⚡ Watch CVE-2026-59154

Get an email if CVE-2026-59154 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-59154

CVE.org record

Embed the live status

CVE-2026-59154 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59154 status](https://www.csirts.com/badge/CVE-2026-59154)](https://www.csirts.com/cve/CVE-2026-59154)