cbcvebase.

Go-Vikunja Vikunja vulnerabilities

35 known vulnerabilities affecting go-vikunja/vikunja.

Total CVEs
35
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH11MEDIUM20

Vulnerabilities

Page 1 of 2
CVE-2026-28268P2CRITICALCVSS 9.8fixed in 2.1.02026-02-27
CVE-2026-28268 [CRITICAL] CWE-459 CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a busin Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset t
nvd
CVE-2026-27575P3CRITICALCVSS 9.1fixed in 2.0.02026-02-25
CVE-2026-27575 [CRITICAL] CWE-521 CVE-2026-27575: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the applicat Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or
nvd
CVE-2026-34727P3CRITICALCVSS 9.1fixed in 2.3.02026-04-10
CVE-2026-34727 [CRITICAL] CWE-287 CVE-2026-34727: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback ha Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This
nvd
CVE-2026-33668P3HIGHCVSS 8.1v>= 0.18.0, < 2.2.12026-03-24
CVE-2026-33668 [HIGH] CWE-285 CVE-2026-33668: Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user sta
nvd
CVE-2026-33316P3HIGHCVSS 8.1fixed in 2.2.02026-03-24
CVE-2026-33316 [HIGH] CWE-284 CVE-2026-33316: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vi Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disable
nvd
CVE-2026-33336P3HIGHCVSS 8.8v>= 0.21.0, < 2.2.02026-03-24
CVE-2026-33336 [HIGH] CWE-94 CVE-2026-33336: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project de
nvd
CVE-2026-33334P3CRITICALCVSS 9.6v>= 0.21.0, < 2.2.02026-03-24
CVE-2026-33334 [CRITICAL] CWE-94 CVE-2026-33334: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or futur
nvd
CVE-2026-35595P3HIGHCVSS 8.3fixed in 2.3.02026-04-10
CVE-2026-35595 [HIGH] CWE-269 CVE-2026-35595: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a p
nvd
CVE-2026-33678P3HIGHCVSS 8.1fixed in 2.2.12026-03-24
CVE-2026-33678 [HIGH] CWE-639 CVE-2026-33678: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachm Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong t
nvd
CVE-2026-33679P3HIGHCVSS 7.4fixed in 2.2.12026-03-24
CVE-2026-33679 [HIGH] CWE-918 CVE-2026-33679: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `Downloa Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja
nvd
CVE-2026-27819P3HIGHCVSS 7.2fixed in 2.0.02026-02-25
CVE-2026-27819 [HIGH] CWE-22 CVE-2026-27819: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreC Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files o
nvd
CVE-2026-33335P3HIGHCVSS 8.0v>= 0.21.0, < 2.2.02026-03-24
CVE-2026-33335 [HIGH] CWE-939 CVE-2026-33335: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise
nvd
CVE-2026-35597P3HIGHCVSS 7.5fixed in 2.3.02026-04-10
CVE-2026-35597 [HIGH] CWE-307 CVE-2026-35597: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-atte Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in pkg
nvd
CVE-2026-27616P3HIGHCVSS 7.3fixed in 2.0.02026-02-25
CVE-2026-27616 [HIGH] CWE-79 CVE-2026-27616: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the applicat Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the
nvd
CVE-2026-35602P3HIGHCVSS 7.1fixed in 2.3.02026-04-10
CVE-2026-35602 [HIGH] CWE-770 CVE-2026-35602: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file imp Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compress
nvd
CVE-2026-33680P3MEDIUMCVSS 6.5fixed in 2.2.22026-03-24
CVE-2026-33680 [MEDIUM] CWE-285 CVE-2026-33680: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSha Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadA
nvd
CVE-2026-33677P3MEDIUMCVSS 6.5fixed in 2.2.12026-03-24
CVE-2026-33677 [MEDIUM] CWE-200 CVE-2026-33677: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /ap Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, th
nvd
CVE-2026-35594P3MEDIUMCVSS 6.5fixed in 2.3.02026-04-10
CVE-2026-35594 [MEDIUM] CWE-613 CVE-2026-35594: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all
nvd
CVE-2026-33676P3MEDIUMCVSS 6.5fixed in 2.2.12026-03-24
CVE-2026-33676 [MEDIUM] CWE-863 CVE-2026-33676: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vik Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has c
nvd
CVE-2026-35599P3MEDIUMCVSS 6.5fixed in 2.3.02026-04-10
CVE-2026-35599 [MEDIUM] CWE-407 CVE-2026-35599: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatInterva Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop i
nvd
Go-Vikunja Vikunja vulnerabilities | cvebase