CVE-2025-65778

Published: Dec 15, 2025

Modified: Dec 16, 2025

PUBLISHED

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/wekan/wekan

https://wekan.fi/hall-of-fame/spacebleed/

https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8

https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-65778

Description

Affected Products

References