CVE-2026-35599
published 2026-04-10CVE-2026-35599: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.35%
26.6th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
ghsa·2026-04-10
CVE-2026-35599 [MEDIUM] CWE-407 Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
## Summary
The `addRepeatIntervalToTime` function uses an O(n) loop that advances a date by the task's `RepeatAfter` duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request.
## Details
The vulnerable function at `pkg/models/tasks.go:1456-1464`:
```go
func addRepeatIntervalToTime(now, t time.Time, duration time.Duration) time.Time {
for {
t = t.Add(duration)
if t.After(now) {
break
}
}
return t
}
```
The `RepeatAfter` field accepts any positive integer (validated as `range(0|9223372036854775807)`), and `DueDate` accepts any vali
VulDB
go-vikunja up to 2.2.x addRepeatIntervalToTime algorithmic complexity (GHSA-r4fg-73rc-hhh7)
vuldb·2026-04-10·CVSS 6.5
CVE-2026-35599 [MEDIUM] go-vikunja up to 2.2.x addRepeatIntervalToTime algorithmic complexity (GHSA-r4fg-73rc-hhh7)
A vulnerability identified as problematic has been detected in go-vikunja vikunja up to 2.2.x. The impacted element is the function addRepeatIntervalToTime. This manipulation causes inefficient algorithmic complexity.
The identification of this vulnerability is CVE-2026-35599. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published