CVE-2025-65778 is a vulnerability identified in Wekan, an open-source kanban board system widely used for task and project management. The issue exists in versions up to 18.15 and was resolved in version 18.16. The core of the vulnerability lies in the handling of uploaded attachments: Wekan improperly allows the Content-Type header of these attachments to be attacker-controlled and set to text/html. This misconfiguration enables an attacker to upload malicious HTML or JavaScript code that executes within the security context (origin) of the Wekan application. Such execution constitutes a stored cross-site scripting (XSS) attack, classified under CWE-79. The consequences include theft of session tokens or authentication tokens, enabling attackers to hijack user sessions. Additionally, the attacker can perform cross-site request forgery (CSRF) actions, potentially manipulating user actions without their consent. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), such as a user opening or interacting with the malicious attachment. The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N). No known exploits are currently reported in the wild, but the high CVSS score of 8.1 indicates a serious risk. The vulnerability highlights the importance of strict validation and sanitization of user-uploaded content and proper Content-Type enforcement to prevent script execution in web applications.

For European organizations using Wekan, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive project management data. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and access confidential information or modify project tasks and workflows. CSRF capabilities further enable attackers to perform unauthorized actions on behalf of users, potentially disrupting business processes or leaking sensitive data. Given Wekan's role in collaboration and task tracking, such breaches could result in intellectual property theft, operational disruption, and reputational damage. The risk is amplified in environments where Wekan is integrated with other internal systems or contains sensitive project details. The lack of required authentication lowers the barrier for attackers, increasing the likelihood of exploitation if the vulnerability is unpatched. European organizations must prioritize patching to prevent lateral movement and data compromise within their networks.

The primary mitigation is to upgrade Wekan installations to version 18.16 or later, where this vulnerability is fixed. Organizations should enforce strict Content-Type validation on uploaded attachments, ensuring that only safe MIME types are accepted and served with appropriate headers. Implement server-side sanitization of uploaded content to strip or neutralize any embedded scripts or HTML. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of any potential XSS. Educate users about the risks of interacting with untrusted attachments within Wekan. Monitor logs for unusual upload or access patterns that might indicate exploitation attempts. If upgrading immediately is not feasible, consider disabling attachment uploads or restricting them to trusted users only. Regularly review and update web application firewall (WAF) rules to detect and block malicious payloads targeting this vulnerability.