CVE-2025-65778

HIGH EPSS 23.5%
Published Dec 15, 20256mo ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Dec 15, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
23.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
wekan_projectwekan* <8.16

References 4

  • github.com https://github.com/wekan/wekan
    Product
  • github.com https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
    Release Notes
  • github.com https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8
    Patch
  • wekan.fi https://wekan.fi/hall-of-fame/spacebleed/
    Vendor Advisory

Remediation

  • github.com https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8
    Patch