CVE-2025-65782
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-65782, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-15

Last updated on: 2025-12-23

Assigner: MITRE

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-15
Last Modified
2025-12-23
Generated
2026-07-06
AI Q&A
2025-12-15
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-NVD-CWE-noinfo

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Wekan up to version 18.15 is an authorization flaw in how card updates are handled. It allows board members, and potentially other authenticated users, to add or remove arbitrary user IDs in the vote.positive and vote.negative arrays. This means they can forge votes and vote on behalf of other users without authorization. The issue was fixed in version 18.16 by blocking direct client-side updates to voting fields and enforcing strict server-side authorization checks to ensure only the caller's own userId can be modified in voting arrays. [4]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users or board members to manipulate voting results on Wekan boards. They can add or remove votes on behalf of other users, leading to vote forgery and potentially skewed decision-making processes. This undermines the integrity of the voting system and can cause incorrect or unfair outcomes in collaborative environments. [4]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Wekan to version 18.16 or later where the issue is fixed. The fix blocks direct client-side updates to card voting fields and routes all voting actions through secure server methods enforcing strict authorization checks. Ensure that only authenticated board members or explicitly permitted users can modify votes, and that only the caller's own userId can be added or removed from vote arrays. Avoid using vulnerable versions up to 18.15. [2, 4]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart