CVE-2026-9627: Reflected XSS in Kanboard
| Field | Value |
|---|---|
| CVE ID | CVE-2026-9627 |
| CVSS score | 6.1 Medium |
| Attack vector | Network |
| Auth required | No attacker privileges required; victim interaction required |
| Patch status | Fixed in Kanboard 1.2.47 |
TL;DR - Reflected XSS in Kanboard
/project-permission/usersviasort- Affects all versions prior to1.2.47; upgrade now - No confirmed in-the-wild exploitation, but internet-exposed instances should treat as urgent
What happened and why it matters
CVE-2026-9627 is a reflected cross-site scripting (XSS) vulnerability in Kanboard, the open-source project management platform. According to the NVD description, the issue exists in the /project-permission/users endpoint and is triggered through the sort parameter. The flaw affects all Kanboard versions prior to 1.2.47, and the fix is included in 1.2.47.
For defenders, the practical concern is not raw availability impact but session and browser-context abuse. An attacker can craft a malicious Kanboard URL and send it to a user who is already authenticated to the application. If the user visits that URL, arbitrary JavaScript may execute in the context of the Kanboard origin. That can enable theft of session material, unauthorized actions as the victim, or user-interface manipulation. If the victim has elevated permissions in Kanboard, the impact can rise beyond what a “medium” label may suggest in day-to-day operations.
Exploitation status: what is known, and what is not
At the time of writing, exploitation in the wild is not confirmed from the reviewed sources. Specifically, CVE-2026-9627 is not listed in CISA KEV, which means there is no CISA-confirmed evidence of active exploitation from that source. That does not prove the bug is unexploited; it only means there is no confirmation in the referenced public source set.
For public proof-of-concept status, no separate public PoC repository was identified in the materials provided. However, defenders should not over-index on that absence. The vulnerable endpoint and parameter are explicitly named: /project-permission/users and sort. That makes the issue relatively easy for an attacker or tester to reproduce without a polished public exploit. In practice, you should assume a workable exploit can be assembled quickly by anyone familiar with reflected XSS testing.
Technical Notes
A representative malicious request would target the vulnerable endpoint with suspicious content in the sort parameter. Do not treat the following as a guaranteed working payload against your exact version; use it as a detection cue and validation aid:
GET /project-permission/users?sort=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1
Host: kanboard.example.com
Common indicators to flag in review pipelines include encoded script delimiters, event handlers, and JavaScript pseudo-protocols inside sort:
/project-permission/users?sort=%3Cscript%3E
/project-permission/users?sort="<svg/onload=
/project-permission/users?sort=javascript:
Affected versions and fixed release
The affected product is Kanboard. The vulnerable version range, based on the NVD-backed advisory text, is:
- Affected versions: all versions prior to
1.2.47 - Fixed version:
1.2.47
That means organizations running 1.2.46 and earlier should assume exposure unless they have independently backported the upstream fix. If your environment relies on distro packages, container images, or custom internal builds, do not assume safety based only on package age or image tag. Verify the embedded Kanboard version directly.
The upstream fix is linked from the NVD references and identified as commit 592ecbc363b95f07f7304f2c72f10cfac7d6af31. Even if you cannot immediately inspect the commit in your change workflow, the key operational point is straightforward: 1.2.47 is the first known fixed release. If your organization cannot upgrade quickly, treat any externally reachable Kanboard deployment as higher risk because reflected XSS is easily delivered by phishing or internal messaging.
Technical impact and attack path
The root cause is a classic input handling and output encoding failure consistent with CWE-79. User-controlled data from the sort parameter is reflected back into the server response in a way that can cause script execution in the browser. Because this is reflected rather than stored XSS, the attacker generally needs the victim to click or otherwise load a crafted URL. That aligns with the CVSS vector’s UI:R requirement.
The impact depends heavily on who clicks the link. A normal project user may expose their session or perform unintended actions. An administrator or project manager may enable more serious abuse, such as modifying permissions, changing workflow settings, or exposing project data that should remain restricted. The vulnerability has no direct availability impact in the CVSS assessment, but it can still create substantial operational risk if Kanboard is integrated into core project tracking or internal change coordination.
Technical Notes
The published CVSS v3.1 vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Interpretation for practitioners:
AV:N = exploitable over the network
AC:L = low complexity
PR:N = attacker needs no prior account to craft the exploit
UI:R = victim must interact, usually by opening a link
S:C = scope changed, because browser-side execution affects user context
C:L/I:L = confidentiality and integrity impacts are present
A:N = no direct availability impact scored
Bottom line
CVE-2026-9627 is a reflected XSS in Kanboard affecting all versions prior to 1.2.47. The vulnerable surface is clearly identified: /project-permission/users with the sort parameter. The fix is available in 1.2.47, and there is enough public information for defenders to patch, monitor, and hunt effectively.
There is no confirmed in-the-wild exploitation from the checked sources, and no separate public PoC was identified in the supplied materials. In the absence of stronger exploitation data, defenders should assume this is straightforward to weaponize, especially against users with active Kanboard sessions. Patch promptly, monitor suspicious requests, and invalidate sessions if you uncover indicators of attempted exploitation.
For further information on security practices, check out our articles on What is an Incident Response Plan and Incident Response Checklist for Small IT Teams.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and threat hunting guidance
Detection should focus on two things: malicious requests to the vulnerable endpoint and downstream signs of browser-side abuse after a suspicious request. Because the issue is delivered through a GET parameter, reverse proxy, load balancer, and web server logs are usually the fastest place to start. Specifically, review requests to /project-permission/users where the sort parameter contains URL-encoded metacharacters, script tags, event handlers, or other unexpected content.
You should also review timelines around suspicious requests for follow-on authenticated activity from the same victim account. Reflected XSS often acts as an initial foothold for session riding or token theft. Look for unusual account actions shortly after a user requests a suspicious URL, especially if the request originated from a different source IP than the later authenticated actions. If you lack detailed app telemetry, reverse proxy logs plus Kanboard authentication and session events are still useful for triage.
Technical Notes
A concrete web log pattern to hunt for:
/project-permission/users.*sort=.*(%3Cscript%3E|<script>|%3Csvg|<svg|javascript:|onload=|onerror=|%22%3E|">s*<)
Example grep against Nginx or Apache access logs:
grep -E '/project-permission/users.*sort=.*(%3Cscript%3E|<script>|%3Csvg|<svg|javascript:|onload=|onerror=|%22%3E|">)' /var/log/nginx/access.log
Example Splunk query:
index=web (uri_path="/project-permission/users" OR url="*/project-permission/users*")
| eval full_request=coalesce(uri_query, url, request)
| regex full_request="(?i)sort=.*(%3cscript%3e|<script>|%3csvg|<svg|javascript:|onload=|onerror=|%22%3e|">)"
| stats count by src_ip, user, http_user_agent, full_request
Example Suricata-style HTTP signature concept for obvious payloads in the query string:
alert http any any -> $HOME_NET any (
msg:"Possible CVE-2026-9627 Kanboard sort parameter XSS probe";
flow:to_server,established;
http.uri; content:"/project-permission/users"; nocase;
http.uri; pcre:"/sort=.*(%3Cscript%3E|<script>|%3Csvg|<svg|javascript:|onload=|onerror=)/Ui";
sid:9627001; rev:1;
)
Mitigation and patching
The primary mitigation is to upgrade Kanboard to version 1.2.47 or later. Because the issue is fixed upstream and the vulnerable and fixed version boundaries are clearly stated, patching is the most reliable response. If you operate Kanboard in containers, through a package manager, or from a source checkout, validate the running application version after the update rather than trusting deployment metadata alone.
If immediate patching is not possible, apply compensating controls with the assumption that a crafted link sent to an authenticated user can trigger execution. Reduce exposure by restricting Kanboard to trusted networks, a VPN, or identity-aware access controls; warn users not to open untrusted Kanboard links; and use reverse proxy or WAF rules to block suspicious sort values on the affected endpoint. If you suspect compromise, invalidate active sessions and review recent administrative or project permission changes.
Technical Notes
If you deployed from a Git checkout, upgrade directly to the fixed release:
cd /opt/kanboard
git fetch --tags
git checkout v1.2.47
If you use Docker and maintain your own image tags, pull and redeploy a build that contains Kanboard 1.2.47 or later. Because image names vary by environment, verify the app version from inside the container or application UI after deployment:
docker ps
docker exec -it <kanboard_container> sh
# verify the application reports version 1.2.47 or later using your standard method
As a temporary reverse-proxy mitigation, deny obviously malicious sort values for the vulnerable path. Example Nginx approach:
location /project-permission/users {
if ($arg_sort ~* "(<script|%3cscript|<svg|%3csvg|javascript:|onload=|onerror=)") {
return 403;
}
proxy_pass http://kanboard_backend;
}
Use that only as a stopgap. It may miss obfuscated payloads and should not be treated as equivalent to upgrading.
Remediation priorities for security and IT teams
For SMBs and internal IT teams, priority should be based on reachability and user role concentration. If your Kanboard instance is internet-exposed, accessible from partner networks, or used heavily by privileged users, upgrade on an accelerated schedule. Even though the CVSS is medium and no in-the-wild exploitation is confirmed from the reviewed sources, reflected XSS is routinely practical in real environments because all it takes is a convincing link and an active user session.
For larger teams, include this CVE in your standard web application patch process, but pair the patch with user-awareness messaging and short-term telemetry review. In other words, do not just update and move on. Check whether anyone attempted to hit /project-permission/users with suspicious sort values before your patch window. If suspicious requests are found, assume possible session abuse and review account activity accordingly.
References
| Source | URL |
|---|---|
| NVD CVE record | https://nvd.nist.gov/vuln/detail/CVE-2026-9627 |
| GitHub Security Advisory | https://github.com/kanboard/kanboard/security/advisories/GHSA-4v7f-4mwc-w7xq |
| Upstream fix commit | https://github.com/kanboard/kanboard/commit/592ecbc363b95f07f7304f2c72f10cfac7d6af31 |