Login Sign Up

CVE-2025-46825

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Kanboard versions 1.2.26 through 1.2.44 have a stored cross-site scripting vulnerability in the project creation form's name parameter. Attackers can inject malicious scripts that execute when other users view affected pages. The default CSP blocks JavaScript execution but CSS injection may still be possible if CSP is misconfigured.

💻 Affected Systems

Products:
  • Kanboard
Versions: 1.2.26 through 1.2.44
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Default CSP blocks JavaScript execution but CSS injection may be possible. Risk increases if CSP is modified to include 'unsafe-inline'.

📦 What is this software?

Kanboard by Kanboard

View all CVEs affecting Kanboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or deface the application interface through successful script execution.

🟠

Likely Case

Limited impact due to default CSP blocking JavaScript, but potential for CSS injection leading to UI manipulation or data exfiltration if CSP is weakened.

🟢

If Mitigated

Minimal impact with proper CSP configuration and input validation in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to create projects. Attack complexity is medium due to CSP restrictions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.45

Vendor Advisory: https://github.com/kanboard/kanboard/security/advisories/GHSA-5wj3-c9v4-pj9v

Restart Required: No

Instructions:

1. Backup your Kanboard installation and database. 2. Download version 1.2.45 from the official repository. 3. Replace the affected files with the patched versions. 4. Clear application cache if applicable.

🔧 Temporary Workarounds

Enforce Strict CSP

all

Ensure Content Security Policy is properly configured without 'unsafe-inline' directives

Review and update CSP headers in web server configuration

Input Validation Filter

all

Implement additional input sanitization for the project name parameter

Add custom validation rules to sanitize HTML/script tags in project names

🧯 If You Can't Patch

  • Restrict project creation permissions to trusted users only
  • Implement web application firewall rules to block XSS payloads in project names

🔍 How to Verify

Check if Vulnerable:

Check Kanboard version in admin panel or by examining the application files. Versions 1.2.26-1.2.44 are vulnerable.

Check Version:

Check Kanboard admin panel or examine app/version.php file

Verify Fix Applied:

Verify version is 1.2.45 or higher. Test project creation with XSS payloads to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual project creation activity
  • Project names containing script tags or unusual characters

Network Indicators:

  • HTTP requests with script payloads in project name parameter

SIEM Query:

web_requests WHERE url_path CONTAINS 'ProjectCreationController' AND parameters CONTAINS 'script' OR 'javascript'

📊 Metadata

CVE ID: CVE-2025-46825
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.08% exploit probability (22.6th percentile)
Published: May 12, 2025
Last Updated: July 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46825, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)