{"id":"CVE-2026-41455","summary":"WeKan \u003c 8.35 SSRF via Webhook URL","details":"WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.","modified":"2026-07-08T08:13:13.248662313Z","published":"2026-04-22T21:09:30.241Z","database_specific":{"cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41455.json","unresolved_ranges":[{"extracted_events":[{"fixed":"8.35.0"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41455.json"},{"type":"ADVISORY","url":"https://github.com/wekan/wekan/releases/tag/v8.35"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41455"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url"},{"type":"FIX","url":"https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4"},{"type":"PACKAGE","url":"https://github.com/wekan/wekan"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wekan/wekan","events":[{"introduced":"0"},{"fixed":"2cd702f48df2b8aef0e7381685f8e089986a18a4"},{"fixed":"ca87e5c3cf19f4ed37df5d97b395045bf7bf81e5"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v8.34","v8.33","v8.32","v8.31","v8.30","v8.29","v8.28","v8.27","v8.25","v8.26","v8.24","v8.23","v8.22","v8.21","v8.20","v8.19","v8.18","v8.17","v8.16","v8.15","v8.14","v8.12","v8.11","v8.10","v8.09","v8.08","v8.06","v8.05","v8.04","v8.03","v8.02","v8.01","v8.00","v7.99","v7.98","v7.97","v7.96","v7.95","v7.93","v7.92","v7.91","v7.90","v7.89","v7.88","v7.87","v7.86","v7.85","v7.84","v7.83","v7.82","v7.81","v7.80","v7.79","v7.78","v7.77","v7.76","v7.75","v7.74","v7.73","v7.72","v7.71","v7.70","v7.69","v7.68","v7.67","v7.65","v7.64","v7.63","v7.62","v7.61","v7.60","v7.59","v7.58","v7.57","v7.56","v7.55","v7.54","v7.53","v7.52","v7.51","v7.50","v7.49","v7.48","v7.47","v7.46","v7.45","v7.44","v7.43","v7.42","v7.41","v7.40","v7.39","v7.38","v7.37","v7.36","v7.35","v7.34","v7.33","v7.32","v7.31","v7.30","v7.29","v7.28","v7.27","v7.26","v7.25","v7.24","v7.23","v7.22","v7.21","v7.20","v7.19","v7.18","v7.17","v7.16","v7.15","v7.14","v7.12","v7.11","v7.10","v7.09","v7.08","v7.07","v7.06","v7.05","v7.04","v7.03","v7.02","v7.01","v7.00","v6.99.9","v6.99.8","v6.99.7","v6.99.6","v6.99.5","v6.99.4","v6.99.3","v6.99.2","v6.99.1","v6.99","v6.98","v6.97","v6.96","v6.95","v6.93","v6.92","v6.91","v6.90","v6.89","v6.88","v6.87","v6.86","v6.85","v6.84","v6.83","v6.82","v6.81","v6.80","v6.79","v6.78","v6.77","v6.76","v6.75","v6.74","v6.73","v6.72","v6.71","v6.70","v6.69","v6.68","v6.67","v6.65","v6.62","v6.61","v6.60","v6.59","v6.58","v6.57","v6.56","v6.55","v6.54","v6.53","v6.52","v6.51","v6.50","v6.49","v6.48","v6.47","v6.46","v6.45","v6.44","v6.43","v6.42","v6.41","v6.40","v6.39","v6.38","v6.37","v6.36","v6.35","v6.34","v6.33","v6.32","v6.31","v6.30","v6.29","v6.28","v6.27","v6.26","v6.25","v6.24","v6.23","v6.18","v6.17","v6.16","v6.15","v6.14","v6.13","v6.12","v6.11","v6.10","v6.05","v6.04","v6.03","v6.02","v6.01","v6.00","v5.99","v5.98","v5.97","v5.96","v5.95","v5.94","v5.93","v5.92","v5.91","v5.90","v5.89","v5.88","v5.87","v5.86","v5.85","v5.84","v5.83","v5.82","v5.81","v5.80","v5.78","v5.79","v5.77","v5.76","v5.75","v5.74","v5.73","v5.72","v5.71","v5.70","v5.69","v5.68","v5.67","v5.66","v5.65","v5.64","v5.63","v5.62","v5.61","v5.60","v5.59","v5.58","v5.57","v5.56","v5.55","v5.54","v5.53","v5.52","v5.51","v5.50","v5.49","v5.48","v5.47","v5.46","v5.45","v5.44","v5.43","v5.41","v5.42","v5.40","v5.39","v5.38","v5.37","v5.36","v5.35","v5.34","v5.33","v5.32","v5.31","v5.30","v5.29","v5.27","v5.26","v5.25","v5.20","v5.24","v5.23","v5.22","v5.21","v5.19","v5.18","v5.17","stable","v5.16","v5.15","v5.14","v5.13","v5.12","v5.11","v5.10","v5.09","v5.08","v5.07","v5.06","v5.05","v5.04","v5.03","v5.02","v5.01","v5.00","v4.99","v4.98","v4.96","v4.95","v4.94","v4.93","v4.92","v4.91","v4.90","v4.89","v4.88","v4.87","v4.86","v4.85","v4.84","v4.83","v4.82","v4.81","v4.80","v4.79","v4.78","v4.77","v4.76","v4.75","v4.74","v4.73","v4.72","v4.71","v4.70","v4.69","v4.64","v4.68","v4.67","v4.66","v4.65","v4.63","v4.62","v4.61","v4.60","v4.59","v4.58","v4.57","v4.56","v4.55","v4.54","v4.53","v4.52","v4.51","v4.50","v4.49","v4.48","v4.47","v4.46","v4.45","v4.44","v4.43","v4.42","v4.41","v4.40","v4.39","v4.38","v4.37","v4.36","v4.35","v4.34","v4.33","v4.32","4.31","4.30","v4.29","v4.28","v4.27","v4.26","v4.25","v4.24","v4.23","v4.22","v4.21","v4.20","v4.19","v4.18","v4.17","v4.16","v4.15","v4.14","v4.13","v4.12","v4.11","v4.10","v4.09","v4.08","v4.07","v4.06","v4.05","v4.04","v4.03","v4.02","v4.01","v4.00","v3.99","v3.98","v3.97","v3.92","v3.96","v3.95","v3.94","v3.93","v3.91","v3.90","v3.89","v3.88","v3.87","v3.86","v3.85","v3.84","v3.83","v3.82","v3.81","v3.80","v3.79","v3.78","v3.77","v3.76","v3.75","v3.74","v3.73","v3.71","v3.70","v3.69","v3.68","v3.67","v3.66","v3.65","v3.64","v3.63","v3.62","v3.61","v3.60","v3.59","v3.58","v3.57","v3.56","v3.55","v3.54","v3.53","v3.52","v3.51","v3.50","v3.49","v3.48","v3.47","v3.46","v3.45","v3.44","v3.43","v3.42","v3.41","v3.40","v3.39","v3.38","v3.37","v3.36","v3.35","v3.34","v3.33","v3.32","v3.31","v3.30","v3.29","v3.27","v3.26","v3.25","v3.24","v3.23","v3.22","v3.21","v3.18","v3.20","v3.19","v3.17","v3.16","v3.15","v3.14","v3.13","v3.12","v3.11","v3.10","v3.09","v3.08","v3.07","v3.06","v3.05","v3.04","v3.03","v3.02","v3.01","v3.00","v2.99","v2.98","v2.94","v2.60.1","v1.69.2","v1.69","v1.68","v1.67","v1.66","v1.65","v1.64.2","v1.64","v1.64.1","v1.63","v1.62","v1.61","v1.60","v1.59","v1.58","v1.57","v1.55.1","v1.53.9","v1.53.8","v1.53.7","v1.53.6","v1.53.5","v1.53.4","v1.53.3","v1.53.2","v1.53.1","v1.52.1","v1.51.2","v1.51.1","v1.50.3","v1.50.2","v1.50.1","v1.49.1","v1.49-edge-1","v1.47","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29","v1.27","v1.26","v1.25","v1.24","v1.23","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.09","v1.08","v1.07","v1.06","v0.95","v0.94","v0.93","v0.92","v0.91","v0.90","v0.89","v0.88","v0.87","v0.86","v0.85","v0.84","v0.83","v0.82","v0.81","v0.80","v0.79","v0.78","v0.77","v0.76","v0.75","v0.74","v0.73","v0.72","v0.71","v0.70","v0.69","v0.68","v0.67","v0.66","v0.65","v0.63","v0.62","v0.61","v0.60","v0.59","v0.58","v0.57","v0.56","v0.55","v0.54","v0.52","v0.51","v0.50","v0.49","v0.48","v0.47","v0.46","v0.45","v0.44","v0.43","v0.39","v0.42","v0.41","v0.40","v0.38","v0.37","v0.36","v0.35","v0.34","v0.33","v0.32","v0.31","v0.30","v0.29","v0.28","v0.27","v0.26","v0.25","v0.24","v0.23","v0.22","v0.21","v0.20","v0.19","v0.18","v0.17","v0.16","v0.13","v0.12","v0.11.1-rc2","v0.11.1-rc1","v0.11.0-rc2","v0.11.0-rc1","v0.10.0","v0.10.0-rc4","v0.10.0-rc3","v0.10-rc2","v0.10.0-rc1","v0.9.0-rc2","v0.9.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41455.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"}]}