CVE-2025-65778 – This vulnerability allows attackers to upload m... (How to Fix)

Q: What is the severity of CVE-2025-65778?

CVE-2025-65778 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to upload malicious attachments that are served with HTML content types, enabling cross-site scripting (XSS) attacks within the Wekan application's origin. Attackers can steal user sessions, authentication tokens, and perform CSRF actions. All Wekan instances up to version 18.15 are affected.

📋 TL;DR

This vulnerability allows attackers to upload malicious attachments that are served with HTML content types, enabling cross-site scripting (XSS) attacks within the Wekan application's origin. Attackers can steal user sessions, authentication tokens, and perform CSRF actions. All Wekan instances up to version 18.15 are affected.

💻 Affected Systems

Products:

Wekan

Versions: All versions up to 18.15

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, and unauthorized administrative actions through stolen sessions and CSRF attacks.

🟠

Likely Case

Session hijacking leading to unauthorized access to boards, card data, and user information.

🟢

If Mitigated

Limited impact with proper content security policies and attachment validation in place.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who can upload malicious attachments.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload attachments (authenticated user), but the attack itself is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.16

Vendor Advisory: https://wekan.fi/hall-of-fame/spacebleed/

Restart Required: Yes

Instructions:

1. Backup your Wekan data and configuration. 2. Update to Wekan version 18.16 or later. 3. Restart the Wekan service. 4. Verify the fix by checking the version and testing attachment uploads.

🔧 Temporary Workarounds

Disable attachment uploads

all

Temporarily disable file upload functionality to prevent exploitation

Modify Wekan configuration to set ALLOW_FILE_UPLOAD=false

Implement strict Content-Type validation

all

Add middleware to validate and sanitize Content-Type headers for uploaded files

Add custom validation in Wekan's attachment handling code

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution
Monitor and audit all file uploads for suspicious Content-Type values

🔍 How to Verify

Check if Vulnerable:

Check if Wekan version is 18.15 or earlier. Review if uploaded files can be served with text/html Content-Type.

Check Version:

Check Wekan admin panel or run: docker exec wekan-app node -e "console.log(require('/app/programs/server/npm/node_modules/meteor/wekan/package.json').version)"

Verify Fix Applied:

After updating to 18.16+, test uploading a file and verify it's served with correct Content-Type (not text/html).

📡 Detection & Monitoring

Log Indicators:

File uploads with suspicious filenames or extensions
Requests for attachments with Content-Type: text/html

Network Indicators:

Unusual spikes in attachment downloads
Requests to attachment endpoints with suspicious referrers

SIEM Query:

source="wekan" AND (attachment_upload OR file_upload) AND (content_type="text/html" OR filename="*.html")

📊 Metadata

CVE ID: CVE-2025-65778

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (13.8th percentile)

Published: December 15, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/wekan/wekan Product
https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release Release Notes
https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8 Patch
https://wekan.fi/hall-of-fame/spacebleed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65778, you might also want to check these: