CVE-2026-35599 — Inefficient Algorithmic Complexity in Vikunja

CWE-407 — Inefficient Algorithmic Complexity3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 86.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja has Algorithmic Complexity DoS in Repeating Task Handler↗2026-04-10

▶

VulDB

go-vikunja up to 2.2.x addRepeatIntervalToTime algorithmic complexity (GHSA-r4fg-73rc-hhh7)↗2026-04-10

▶