CVE-2026-35602 — Allocation of Resources Without Limits or Throttling in Vikunja

CWE-770 — Allocation of Resources Without Limits or Throttling2 documents2 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 87.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja has File Size Limit Bypass via Vikunja Import↗2026-04-10

▶