CVE-2025-65782

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting.

CVSS v3.1 Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Weakness Type (CWE)

CWE-285 CWE-285

Affected Products

Vendor	Product	Versions
wekan_project	wekan	< 8.15

References

Advisories & Patches

https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c https://wekan.fi/hall-of-fame/spacebleed/

Other References

https://github.com/wekan/wekan https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release

Frequently Asked Questions

What is CVE-2025-65782? +

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. It has a CVSS v3.1 base score of 6.5 (MEDIUM).

How severe is CVE-2025-65782? +

CVE-2025-65782 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-65782? +

CVE-2025-65782 affects products from wekan_project, specifically: wekan. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-65782? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-3013

Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker …

CVE-2025-3014

Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access …

CVE-2025-27509

fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a …

CVE-2024-26291

An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate …

CVE-2025-49594

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version …

CVE-2025-61928

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or …