CVE-2025-65781

high

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.

References

https://wekan.fi/hall-of-fame/spacebleed/

https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c

https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release

https://github.com/wekan/wekan

Details

Source: Mitre, NVD

Published: 2025-12-15

Updated: 2025-12-18

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

Severity: High

CVSS v3

Base Score: 8.2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Severity: High

EPSS

EPSS: 0.00018