CVE-2025-65781HIGH 8.2EPSS p20.9%

CVE-2025-65781CVE-2025-65781

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS0.29% probability of exploitation · percentile 20.9% · 2026-06-18T12:00:27Z
Published2025-12-15
Last modified2025-12-18

Underlying weaknesses· 2

CWE-287CWE-400

References

  1. https://github.com/wekan/wekan
  2. https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
  3. https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c
  4. https://wekan.fi/hall-of-fame/spacebleed/

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessUncontrolled Resource Consumptioncwe-4000%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65778
CVE
CVE-2025-65780
CVE
CVE-2026-30844
CVE
CVE-2026-1963
CVE
CVE-2026-30845
CVE
CVE-2026-41455
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.