| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40103 | Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds | go-vikunja | vikunja | Medium | 4.3 | 2026-04-10 16:12:28 | Deep Dive |
| CVE-2026-35602 | Vikunja has a File Size Limit Bypass via Vikunja Import | go-vikunja | vikunja | Medium | 5.4 | 2026-04-10 16:10:40 | Deep Dive |
| CVE-2026-35601 | Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output | go-vikunja | vikunja | Medium | 4.1 | 2026-04-10 16:08:51 | Deep Dive |
| CVE-2026-35600 | Vikunja has HTML Injection via Task Titles in Overdue Email Notifications | go-vikunja | vikunja | Medium | 5.4 | 2026-04-10 16:07:08 | Deep Dive |
| CVE-2026-35599 | Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler | go-vikunja | vikunja | Medium | 6.5 | 2026-04-10 16:05:58 | Deep Dive |
| CVE-2026-35598 | Vikunja has Missing Authorization on CalDAV Task Read | go-vikunja | vikunja | Medium | 4.3 | 2026-04-10 16:04:32 | Deep Dive |
| CVE-2026-35597 | Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout | go-vikunja | vikunja | Medium | 5.9 | 2026-04-10 16:03:20 | Deep Dive |
| CVE-2026-35596 | Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug | go-vikunja | vikunja | Medium | 4.3 | 2026-04-10 15:59:43 | Deep Dive |
| CVE-2026-35595 | Vikunja Affected by Privilege Escalation via Project Reparenting | go-vikunja | vikunja | High | 8.3 | 2026-04-10 15:58:33 | Deep Dive |
| CVE-2026-35594 | Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade | go-vikunja | vikunja | Medium | 6.5 | 2026-04-10 15:55:05 | Deep Dive |
| CVE-2026-34727 | Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path | go-vikunja | vikunja | High | 7.4 | 2026-04-10 15:45:31 | Deep Dive |
| CVE-2026-33700 | Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion | go-vikunja | vikunja | 中危 | - | 2026-03-24 15:51:40 | Deep Dive |
| CVE-2026-33680 | Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation | go-vikunja | vikunja | High | 7.5 | 2026-03-24 15:47:48 | Deep Dive |
| CVE-2026-33679 | Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections | go-vikunja | vikunja | Medium | 6.4 | 2026-03-24 15:46:10 | Deep Dive |
| CVE-2026-33678 | Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion | go-vikunja | vikunja | High | 8.1 | 2026-03-24 15:44:06 | Deep Dive |
| CVE-2026-33677 | Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API | go-vikunja | vikunja | Medium | 6.5 | 2026-03-24 15:36:52 | Deep Dive |
| CVE-2026-33676 | Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read | go-vikunja | vikunja | Medium | 6.5 | 2026-03-24 15:35:38 | Deep Dive |
| CVE-2026-33675 | Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources | go-vikunja | vikunja | Medium | 6.4 | 2026-03-24 15:33:06 | Deep Dive |
| CVE-2026-33668 | Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect | go-vikunja | vikunja | 中危 | - | 2026-03-24 15:30:27 | Deep Dive |
| CVE-2026-33474 | Vikunja Affected by DoS via Image Preview Generation | go-vikunja | vikunja | Medium | 6.5 | 2026-03-24 15:21:20 | Deep Dive |