Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.
https://github.com/wekan/wekan/commit/47ac33d6c234359c31d9b5eae49ed3e793907279