CVE-2025-65780

Published: Dec 15, 2025Modified: Dec 18, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs.

Affected (1)

Products: Wekan Project: Wekan

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wekan Project Wekan	Before 8.16

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/wekan/wekan

Source: cve@mitre.org

Product

https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release

Source: cve@mitre.org

Release Notes

https://github.com/wekan/wekan/commit/f26d58201855e861bab1cd1fda4d62c664efdb81

Source: cve@mitre.org

Patch

https://wekan.fi/hall-of-fame/spacebleed/

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.