CVE-2026-33675 — Server-Side Request Forgery in Vikunja

CWE-918 — Server-Side Request Forgery5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 88.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API Vikunja

Timeline

PublishedMar 24

Latest updateMar 26

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.2.1

▶CVEListV5go-vikunja/vikunja< 2.2.1

▶Gocode.vikunja.io/api< 2.2.1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api↗2026-03-26

▶

OSV

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources↗2026-03-25

▶

GHSA

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33675 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶