A vulnerability described as critical has been identified in Wekan up to 8.35. Affected by this issue is the function exec of the file models/avatars.js of the component Avatar Upload. Executing a manipulation of the argument filename can lead to os command injection.

This vulnerability appears as CVE-2026-52891. The attack may be performed from remote. There is no available exploit.