GitHub Security Advisories reports:
Kanboard allows password reset emails to be sent with URLs
derived from the unvalidated Host header when the
application_url configuration is unset (default behavior).
This allows an attacker to craft a malicious password
reset link that leaks the token to an attacker-controlled
domain. If a victim (including an administrator) clicks
the poisoned link, their account can be taken over. This
affects all users who initiate a password reset while
application_url is not set.