Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-52891

CRITICAL NVD
CVSS Score 9.9
Severity CRITICAL
Published Jul 15, 2026
Vendor unknown

Description

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. Because models/avatars.js and models/fileValidation.js used a shell command with the avatar filename, shell metacharacters such as backticks and $() in the filename could execute commands on the server. This issue is fixed in version 9.07.

References