Contents / Spacebleed

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
-	Spacebleed	2025-11-02 03:29 EET	Siam Thanat Hack (STH) Did send detailed report!	1. File Attachments enables stored XSS (High) 2. Access to boards of any Orgs/Teams (High) 3. Unauthenticated (or any) user can update board ‘sort’ (Low) 4. Members can forge others’ votes (Low) Bonus: Similar fixes to planning poker too done by xet7. 5. Attachment API uses bearer value as userId and DoS (Low) Affected Wekan v8.15 Fixed at Wekan v8.16 2025-11-02

Timeline	Details
2025-11-02 03:29 EET	Report received.
2025-11-02 12:20 EET	Fixed at Wekan v8.16 2025-11-02