Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vikunja — Vulnerabilities & Security Advisories 35

All 35 CVE vulnerabilities found in vikunja, with AI-generated Chinese analysis, references, and POCs.

Vendor: go-vikunja

CVE IDTitleCVSSSeverityPublished
CVE-2026-40103 Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds CWE-836 4.3 Medium2026-04-10
CVE-2026-35602 Vikunja has a File Size Limit Bypass via Vikunja Import CWE-770 5.4 Medium2026-04-10
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output CWE-93 4.1 Medium2026-04-10
CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications CWE-79 5.4 Medium2026-04-10
CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler CWE-407 6.5 Medium2026-04-10
CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read CWE-862 4.3 Medium2026-04-10
CVE-2026-35597 Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout CWE-307 5.9 Medium2026-04-10
CVE-2026-35596 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug CWE-863 4.3 Medium2026-04-10
CVE-2026-35595 Vikunja Affected by Privilege Escalation via Project Reparenting CWE-269 8.3 High2026-04-10
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade CWE-613 6.5 Medium2026-04-10
CVE-2026-34727 Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path CWE-287 7.4 High2026-04-10
CVE-2026-33700 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion CWE-639 2.7 -2026-03-24
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation CWE-285 7.5 High2026-03-24
CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections CWE-918 6.4 Medium2026-03-24
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion CWE-639 8.1 High2026-03-24
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API CWE-200 6.5 Medium2026-03-24
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read CWE-863 6.5 Medium2026-03-24
CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources CWE-918 6.4 Medium2026-03-24
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect CWE-285 4.4 -2026-03-24
CVE-2026-33474 Vikunja Affected by DoS via Image Preview Generation CWE-400 6.5 Medium2026-03-24
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window CWE-287 5.7 Medium2026-03-24
CVE-2026-33336 Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation CWE-94 9.6 -2026-03-24
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal CWE-939 6.1 -2026-03-24
CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration CWE-94 9.0 -2026-03-24
CVE-2026-33316 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement CWE-284 8.1 High2026-03-24
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth CWE-288 5.3 -2026-03-24
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments CWE-639 4.3 -2026-03-24
CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization CWE-863 4.3 -2026-03-20
CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers CWE-807 5.3 Medium2026-03-20
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse CWE-459 9.8 Critical2026-02-27

All 35 known CVE vulnerabilities affecting vikunja with full Chinese analysis, references, and POCs where available.