Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

go-vikunja — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting go-vikunja. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by go-vikunja:vikunja
CVE IDTitleCVSSSeverityPublished
CVE-2026-40103 Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds — vikunjaCWE-836 4.3 Medium2026-04-10
CVE-2026-35602 Vikunja has a File Size Limit Bypass via Vikunja Import — vikunjaCWE-770 5.4 Medium2026-04-10
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output — vikunjaCWE-93 4.1 Medium2026-04-10
CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications — vikunjaCWE-79 5.4 Medium2026-04-10
CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler — vikunjaCWE-407 6.5 Medium2026-04-10
CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read — vikunjaCWE-862 4.3 Medium2026-04-10
CVE-2026-35597 Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout — vikunjaCWE-307 5.9 Medium2026-04-10
CVE-2026-35596 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug — vikunjaCWE-863 4.3 Medium2026-04-10
CVE-2026-35595 Vikunja Affected by Privilege Escalation via Project Reparenting — vikunjaCWE-269 8.3 High2026-04-10
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade — vikunjaCWE-613 6.5 Medium2026-04-10
CVE-2026-34727 Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path — vikunjaCWE-287 7.4 High2026-04-10
CVE-2026-33700 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion — vikunjaCWE-639 2.7 -2026-03-24
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation — vikunjaCWE-285 7.5 High2026-03-24
CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections — vikunjaCWE-918 6.4 Medium2026-03-24
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion — vikunjaCWE-639 8.1 High2026-03-24
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API — vikunjaCWE-200 6.5 Medium2026-03-24
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read — vikunjaCWE-863 6.5 Medium2026-03-24
CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources — vikunjaCWE-918 6.4 Medium2026-03-24
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect — vikunjaCWE-285 4.4 -2026-03-24
CVE-2026-33474 Vikunja Affected by DoS via Image Preview Generation — vikunjaCWE-400 6.5 Medium2026-03-24
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window — vikunjaCWE-287 5.7 Medium2026-03-24
CVE-2026-33336 Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation — vikunjaCWE-94 9.6 -2026-03-24
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal — vikunjaCWE-939 6.1 -2026-03-24
CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration — vikunjaCWE-94 9.0 -2026-03-24
CVE-2026-33316 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement — vikunjaCWE-284 8.1 High2026-03-24
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth — vikunjaCWE-288 5.3 -2026-03-24
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments — vikunjaCWE-639 4.3 -2026-03-24
CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization — vikunjaCWE-863 4.3 -2026-03-20
CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers — vikunjaCWE-807 5.3 Medium2026-03-20
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse — vikunjaCWE-459 9.8 Critical2026-02-27

This page lists every published CVE security advisory associated with go-vikunja. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.