CVE-2026-27575
published 2026-02-25CVE-2026-27575: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234…
PriorityP357critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.43%
34.3th percentile
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | 0 – 0.24.6 | — |
| go-vikunja | vikunja | < 2.0.0 | 2.0.0 |
| vikunja | vikunja | < 2.0.0 | 2.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
osv·2026-02-27
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
GHSA
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
ghsa·2026-02-25
CVE-2026-27575 [CRITICAL] CWE-521 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
**Summary**
The application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password.
An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password.
**Details**
1. Weak passwords are accepted during registration and password change.
2. No minimum length or strength validation is enforced.
3. After changing the password, previously issued session tokens remain valid.
4. No forced logout occurs across active sessions.
_Attack scenario:_
Attacker guesses or obtains weak credentia
OSV
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
osv·2026-02-25
CVE-2026-27575 [CRITICAL] Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
**Summary**
The application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password.
An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password.
**Details**
1. Weak passwords are accepted during registration and password change.
2. No minimum length or strength validation is enforced.
3. After changing the password, previously issued session tokens remain valid.
4. No forced logout occurs across active sessions.
_Attack scenario:_
Attacker guesses or obtains weak credentia
No detection rules found.
No public exploits indexed.
2026-02-25
Published