cbcvebase.

Go-Vikunja Vikunja vulnerabilities

35 known vulnerabilities affecting go-vikunja/vikunja.

Total CVEs
35
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH11MEDIUM20

Vulnerabilities

Page 2 of 2
CVE-2026-33474P3MEDIUMCVSS 6.5v>= 1.0.0-rc0, < 2.2.02026-03-24
CVE-2026-33474 [MEDIUM] CWE-400 CVE-2026-33474: Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and pr Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.
nvd
CVE-2026-33675P3MEDIUMCVSS 5.4fixed in 2.2.12026-03-24
CVE-2026-33675 [MEDIUM] CWE-918 CVE-2026-33675: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migratio Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third
nvd
CVE-2026-29794P4MEDIUMCVSS 5.3v>= 0.8, < 2.2.02026-03-20
CVE-2026-29794 [MEDIUM] CWE-807 CVE-2026-29794: Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can a
nvd
CVE-2026-33473P4MEDIUMCVSS 5.7v>= 0.13, < 2.2.12026-03-24
CVE-2026-33473 [MEDIUM] CWE-287 CVE-2026-33473: Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior t Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
nvd
CVE-2026-33312P4MEDIUMCVSS 5.4v>= 0.20.2, < 2.2.02026-03-20
CVE-2026-33312 [MEDIUM] CWE-863 CVE-2026-33312: Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the
nvd
CVE-2026-40103P4MEDIUMCVSS 5.4fixed in 2.3.02026-04-10
CVE-2026-40103 [MEDIUM] CWE-836 CVE-2026-40103: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token auth
nvd
CVE-2026-27116P4MEDIUMCVSS 6.1fixed in 2.0.02026-02-25
CVE-2026-27116 [MEDIUM] CWE-79 CVE-2026-27116: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render with
nvd
CVE-2026-25935P4MEDIUMCVSS 5.4fixed in 1.1.02026-02-11
CVE-2026-25935 [MEDIUM] CWE-80 CVE-2026-25935: Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creat Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
nvd
CVE-2026-35600P4MEDIUMCVSS 5.4fixed in 2.3.02026-04-10
CVE-2026-35600 [MEDIUM] CWE-79 CVE-2026-35600: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embe Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows and tags), injected Markdown constructs produce phishing links and
nvd
CVE-2026-33700P4MEDIUMCVSS 4.9fixed in 2.2.12026-03-24
CVE-2026-33700 [MEDIUM] CWE-639 CVE-2026-33700: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID
nvd
CVE-2026-33315P4MEDIUMCVSS 4.3fixed in 2.2.02026-03-24
CVE-2026-33315 [MEDIUM] CWE-288 CVE-2026-33315: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav e Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project nam
nvd
CVE-2026-35596P4MEDIUMCVSS 4.3fixed in 2.3.02026-04-10
CVE-2026-35596 [MEDIUM] CWE-863 CVE-2026-35596: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This v
nvd
CVE-2026-35598P4MEDIUMCVSS 4.3fixed in 2.3.02026-04-10
CVE-2026-35598 [MEDIUM] CWE-862 CVE-2026-35598: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResour Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any
nvd
CVE-2026-33313P4MEDIUMCVSS 4.3fixed in 2.2.02026-03-24
CVE-2026-33313 [MEDIUM] CWE-639 CVE-2026-33313: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authentic Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
nvd
CVE-2026-35601P4MEDIUMCVSS 4.1fixed in 2.3.02026-04-10
CVE-2026-35601 [MEDIUM] CWE-93 CVE-2026-35601: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output ge Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar p
nvd
Go-Vikunja Vikunja vulnerabilities | cvebase