{"id":76600,"date":"2026-02-08T01:46:02","date_gmt":"2026-02-07T22:16:02","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-25567-wekan-8-19-card-comment-author-spoofing-via-user-controlled-authorid\/"},"modified":"2026-02-08T01:46:02","modified_gmt":"2026-02-07T22:16:02","slug":"cve-2026-25567-wekan-8-19-card-comment-author-spoofing-via-user-controlled-authorid","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-25567-wekan-8-19-card-comment-author-spoofing-via-user-controlled-authorid\/","title":{"rendered":"CVE-2026-25567 &#8211; WeKan &lt; 8.19 Card Comment Author Spoofing via User-controlled authorId"},"content":{"rendered":"<p>CVE ID : CVE-2026-25567<\/p>\n<p>Published :  Feb. 7, 2026, 10:16 p.m. | 1\u00a0hour, 3\u00a0minutes ago<\/p>\n<p>Description : WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user&#8217;s identifier.<\/p>\n<p>Severity: 5.3 | MEDIUM<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-25567 Published : Feb. 7, 2026, 10:16 p.m. | 1\u00a0hour, 3\u00a0minutes ago Description : WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-76600","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=76600"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/76600\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=76600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=76600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=76600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}