CVE-2025-65780

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs.

PUBLISHED Reserved 2025-11-18 | Published 2025-12-15 | Updated 2025-12-17 | Assigner mitre

References

github.com/wekan/wekan

wekan.fi/hall-of-fame/spacebleed/

github.com/wekan/wekan/blob/main/CHANGELOG.md

github.com/...ommit/f26d58201855e861bab1cd1fda4d62c664efdb81

cve.org (CVE-2025-65780)

nvd.nist.gov (CVE-2025-65780)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.