CVE-2026-52891
Received Received - Intake

Avatar Upload Command Injection in Wekan

Vulnerability report for CVE-2026-52891, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. Because models/avatars.js and models/fileValidation.js used a shell command with the avatar filename, shell metacharacters such as backticks and $() in the filename could execute commands on the server. This issue is fixed in version 9.07.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wekan wekan to 9.07 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Wekan is an open-source kanban tool built with Meteor. A vulnerability exists in versions prior to 9.07 where avatar uploads use user-supplied filenames in shell commands for MIME-type detection. This allows attackers to embed shell metacharacters like backticks or $() in filenames to execute arbitrary commands on the server.

Impact Analysis

This vulnerability allows remote attackers with upload privileges to execute arbitrary commands on the server. This could lead to full system compromise, data theft, or unauthorized access. Users should upgrade to version 9.07 or later to mitigate the risk.

Compliance Impact

This vulnerability could lead to unauthorized access or data breaches, violating GDPR and HIPAA requirements for data protection and access control. Organizations using affected versions may face compliance violations and potential penalties.

Detection Guidance

Check Wekan version with command: grep -r "version" /path/to/wekan/installation/package.json. If version is below 9.07, the system is vulnerable. Review uploaded avatar filenames for shell metacharacters like backticks or $().

Inspect server logs for unexpected command execution patterns or unusual file paths in avatar uploads.

Mitigation Strategies

Upgrade Wekan to version 9.07 or later immediately. Remove any suspicious avatar files uploaded before the upgrade. Restrict file upload permissions to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart