Contents / SpaceBleed

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
-	Spacebleed	2025-11-02 03:29 EET	Siam Thanat Hack (STH) Did send detailed report!	1. File Attachments enables stored XSS (High) 2. Access to boards of any Orgs/Teams (High) 3. Unauthenticated (or any) user can update board ‘sort’ (Low) 4. Members can forge others’ votes (Low). Bonus: Similar fixes to planning poker too done by xet7. 5. Attachment API uses bearer value as userId and DoS (Low) Affected Wekan v8.15 Fixed at Wekan v8.16 2025-11-02

Timeline	Details
2025-11-03 03:29 EET	Report received.