CVE-2026-21879

EUVD-2026-1665
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
GitHub_MCNA
4.7 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
kanboardkanboard
𝑥
< 1.2.49
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
kanboard
forky
1.2.50+ds-1
fixed
sid
1.2.50+ds-1
fixed
Common Weakness Enumeration
References
https://github.com/kanboard/kanboard/commit/93bcae03301a6d34185a8dba977417e6b3de519f
https://github.com/kanboard/kanboard/releases/tag/v1.2.49
https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq
https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq