Go-vikunja Vikunja
35 CVEs affecting Go-vikunja Vikunja. Latest disclosed: 2026-04-10. Critical: 2, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-28268 | Critical | 9.8 | 2026-02-27 | Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechan… |
CVE-2026-27575 | Critical | 9.1 | 2026-02-25 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, passwor… |
CVE-2026-35595 | High | 8.3 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires… |
CVE-2026-33678 | High | 8.1 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id =… |
CVE-2026-33316 | High | 8.1 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regai… |
CVE-2026-33680 | High | 7.5 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated user… |
CVE-2026-34727 | High | 7.4 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the… |
CVE-2026-27616 | High | 7.3 | 2026-02-25 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. S… |
CVE-2026-27819 | High | 7.2 | 2026-02-25 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of th… |
CVE-2026-35599 | Medium | 6.5 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by… |
CVE-2026-35594 | Medium | 6.5 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_… |
CVE-2026-33677 | Medium | 6.5 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook B… |
CVE-2026-33676 | Medium | 6.5 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` fi… |
CVE-2026-33474 | Medium | 6.5 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing… |
CVE-2026-33679 | Medium | 6.4 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http… |
CVE-2026-33675 | Medium | 6.4 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHead… |
CVE-2026-27116 | Medium | 6.1 | 2026-02-25 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module… |
CVE-2026-35597 | Medium | 5.9 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database t… |
CVE-2026-33473 | Medium | 5.7 | 2026-03-24 | Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have the… |
CVE-2026-35602 | Medium | 5.4 | 2026-04-10 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from t… |