CVE-2025-65782

low-risk

Published 2025-12-15

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Wekan

Affected Vendors

Wekan Project

References (4)

Product https://github.com/wekan/wekan

Release Notes https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--rel...

Patch https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c

Vendor Advisory https://wekan.fi/hall-of-fame/spacebleed/

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal