Wekan
Moderate fix1 remedy
cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 18.15
Wekan Stored Cross-Site Scripting Vulnerability via Unrestricted Content-Type in File Attachments
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in Wekan, an open-source kanban board application, in versions prior to 18.15. The issue arises from file attachments being served with an attacker-controlled Content-Type of 'text/html'. This allows the execution of malicious HTML or JavaScript in the application's origin, potentially leading to theft of session tokens and execution of cross-site request forgery actions.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded attachments can execute malicious scripts when accessed.
Reproduction
To reproduce this vulnerability, upload a file attachment with a Content-Type of 'text/html' to a Wekan board. Once the file is uploaded, it will be served with the specified Content-Type, allowing any embedded JavaScript to execute in the context of the application.
Remediation
Users can update to Wekan version 18.16 or later, where this vulnerability has been fixed.
Added: Dec 15, 2025, 2:26 PM
Updated: Dec 15, 2025, 7:00 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
2.9exploitability
7.4remediation
7.7relevance
1.4threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.