Go-Vikunja Vikunja vulnerabilities

CVE-2026-33700 [MEDIUM] CWE-639 CVE-2026-33700: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID

CVE-2026-33677 [MEDIUM] CWE-200 CVE-2026-33677: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /ap Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, th

CVE-2026-33473 [MEDIUM] CWE-287 CVE-2026-33473: Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior t Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

CVE-2026-33675 [MEDIUM] CWE-918 CVE-2026-33675: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migratio Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third

CVE-2026-33680 [MEDIUM] CWE-285 CVE-2026-33680: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSha Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadA

CVE-2026-33335 [MEDIUM] CWE-939 CVE-2026-33335: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwi

CVE-2026-33336 [MEDIUM] CWE-94 CVE-2026-33336: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project

CVE-2026-29794 [MEDIUM] CWE-807 CVE-2026-29794: Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can a

CVE-2026-33312 [MEDIUM] CWE-863 CVE-2026-33312: Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the

CVE-2026-28268 [CRITICAL] CWE-459 CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a busin Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset t

CVE-2026-27575 [CRITICAL] CWE-521 CVE-2026-27575: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the applicat Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or

CVE-2026-27819 [HIGH] CWE-22 CVE-2026-27819: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreC Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files o

CVE-2026-27616 [HIGH] CWE-79 CVE-2026-27616: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the applicat Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the

CVE-2026-27116 [MEDIUM] CWE-79 CVE-2026-27116: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render with

CVE-2026-25935 [HIGH] CWE-80 CVE-2026-25935: Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creat Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.