CVE-2026-52891

Wekan · Wekan

Wekan avatar upload functionality fails to sanitize filenames, leading to OS command injection via shell metacharacters during MIME-type detection.

Executive summary

A critical OS command injection vulnerability in Wekan allows authenticated attackers to execute arbitrary code on the underlying server.

Vulnerability

The application insecurely passes user-supplied avatar filenames to a shell command during MIME-type validation. An authenticated attacker can leverage shell metacharacters to bypass input filters and execute system-level commands.

Business impact

The ability to execute arbitrary OS commands grants an attacker complete control over the affected application server. This risk includes full data exfiltration, modification of system configurations, or lateral movement within the internal network. With a CVSS score of 9.9, the impact is considered critical due to the potential for total system compromise.

Remediation

Immediate Action: Update Wekan to version 9.07 or later immediately to resolve the command injection flaw.

Proactive Monitoring: Inspect server logs for unusual file names or unexpected process executions originating from the web application user.

Compensating Controls: Ensure the application runs with the least privilege necessary to limit the impact of a potential compromise.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a severe risk to organizational infrastructure. Administrators should prioritize the deployment of the vendor-provided security update to version 9.07 as the primary mitigation. Failure to patch may result in unauthorized remote code execution and full system takeover.