CVE-2025-65779

moderate-risk

Published 2025-12-15

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Wekan

Affected Vendors

Wekan Project

References (4)

Product https://github.com/wekan/wekan

Release Notes https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--rel...

Patch https://github.com/wekan/wekan/commit/ea310d7508b344512e5de0dfbc9bdfd38145c5c5

Vendor Advisory https://wekan.fi/hall-of-fame/spacebleed/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal