Primary

Context

Kanboard Open Redirect Vulnerability

Vulnerability

Patched

A vulnerability allowing open redirects has been identified in Kanboard versions through 1.2.48. This issue arises from improper validation of redirect URLs, specifically protocol-relative URLs, which can be exploited to redirect authenticated users to malicious websites. The vulnerability could be used for phishing attacks, credential theft, or malware distribution. The issue has been fixed in version 1.2.49.

Impact

Exploitation of this vulnerability allows for open redirects to attacker-controlled websites, which can be used to conduct phishing attacks, steal user credentials, or distribute malware.

Reproduction

To reproduce this vulnerability, send a link containing a protocol-relative URL (e.g., //evil.com) to a user. When the user clicks the link, Kanboard will store the URL in the session and redirect them to the login page. After logging in, they will be redirected to the attacker-controlled site, bypassing the URL validation.

Remediation

Users can update to Kanboard version 1.2.49 or later, where this vulnerability has been fixed.

Added: Jan 8, 2026, 2:20 AM

Updated: Jan 8, 2026, 2:20 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

7.7

remediation

7.7

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

7.7

remediation

7.7

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kanboard Open Redirect Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Kanboard

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating