CVE-2025-65778HIGH 8.1EPSS p23.3%

CVE-2025-65778CVE-2025-65778

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.32% probability of exploitation · percentile 23.3% · 2026-06-19T12:03:05Z
Published2025-12-15
Last modified2025-12-18

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/wekan/wekan
  2. https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
  3. https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8
  4. https://wekan.fi/hall-of-fame/spacebleed/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65781
CVE
CVE-2026-30844
CVE
CVE-2025-65780
CVE
CVE-2026-1963
CVE
CVE-2026-1962
CVE
CVE-2026-41455
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.