CVE-2025-65778 is a security vulnerability identified in Wekan, an open-source kanban board system widely used for project management and collaboration. The issue exists in versions up to 18.15 and was resolved in version 18.16. The vulnerability arises because uploaded attachments can be served with an attacker-controlled Content-Type header set to text/html. This improper handling allows an attacker to inject and execute arbitrary HTML and JavaScript code within the context of the Wekan application’s origin. Such execution can lead to theft of session tokens or authentication cookies, enabling attackers to hijack user sessions. Additionally, the vulnerability facilitates Cross-Site Request Forgery (CSRF) attacks, where malicious requests can be made on behalf of authenticated users without their consent. The attack vector requires the attacker to have the ability to upload files to the Wekan instance, which may be possible if the application is publicly accessible or if user accounts are compromised or created. No CVSS score has been assigned yet, and there are no known exploits in the wild. The vulnerability impacts the confidentiality and integrity of user data and sessions, potentially allowing attackers to gain unauthorized access and perform actions within the application as legitimate users. The root cause is inadequate validation and sanitization of uploaded file metadata, specifically the Content-Type header, which should be strictly controlled to prevent execution of active content. The fix in version 18.16 likely involves enforcing safe Content-Type headers and sanitizing uploaded content to prevent script execution.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive project management data and user credentials. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and access confidential information or manipulate project workflows. CSRF attacks can result in unauthorized actions being performed, potentially disrupting business processes or leaking sensitive data. Organizations relying on Wekan for internal collaboration, especially those with public-facing instances or weak access controls, are particularly vulnerable. The impact is amplified in sectors with stringent data protection requirements, such as finance, healthcare, and government, where unauthorized access could lead to regulatory penalties under GDPR. Additionally, the ease of exploitation—requiring only file upload capability without authentication—raises the threat level for organizations with open or poorly secured Wekan deployments. The lack of known exploits currently provides a window for proactive mitigation, but the potential for rapid weaponization exists given the straightforward nature of the attack vector.

European organizations should immediately upgrade all Wekan instances to version 18.16 or later, where the vulnerability is patched. In addition to upgrading, implement strict Content-Type validation on the server side to ensure uploaded files are served with safe and expected MIME types, rejecting or sanitizing any files with potentially executable content types such as text/html. Employ file upload restrictions, including limiting allowed file types and scanning uploads for malicious content. Configure Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce the impact of any injected malicious code. Enforce strong access controls and authentication mechanisms to limit who can upload files, and monitor upload activity for suspicious behavior. Regularly audit and update Wekan deployments and dependencies to incorporate security patches promptly. Educate users about phishing and social engineering risks that could facilitate unauthorized file uploads. Finally, consider isolating Wekan instances behind VPNs or internal networks where feasible to reduce exposure to external attackers.