CVE-2026-52891 | Wekan up to 8.35 Avatar Upload models/avatars.js exec filename os command injection

SecurityVulns

A vulnerability described as critical has been identified in Wekan up to 8.35. Affected by this issue is the function exec of the file models/avatars.js of the component Avatar Upload. Executing a manipulation of the argument filename can lead to os command injection.

This vulnerability appears as CVE-2026-52891. The attack may be performed from remote. There is no available exploit.VulDB Recent EntriesRead More