Go modules package

code.vikunja.io/api

pkg:golang/code.vikunja.io/api

Vulnerabilities (32)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-40103	Med	4.3	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with o
CVE-2026-35602	Med	5.4	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforceme
CVE-2026-35601	Med	4.1	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the
CVE-2026-35600	Med	5.4	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which al
CVE-2026-35599	Med	6.5	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval
CVE-2026-35598	Med	4.3	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user
CVE-2026-35597	Med	5.9	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailed
CVE-2026-35596	Med	4.3	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label ti
CVE-2026-35595	Hig	8.3	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive
CVE-2026-35594	Med	6.5	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a
CVE-2026-34727	Hig	7.4	< 2.3.0	2.3.0	Apr 10, 2026	Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC ema
CVE-2026-33700		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can
CVE-2026-33680		—	< 2.2.2	2.2.2	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks li
CVE-2026-33679		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An at
CVE-2026-33678		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified i
CVE-2026-33677		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the proje
CVE-2026-33676		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on thos
CVE-2026-33675		—	< 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user trig
CVE-2026-33668		—	>= 0.18.0, < 2.2.1	2.2.1	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — A
CVE-2026-33474		—	>= 1.0.0-rc0, < 2.2.0	2.2.0	Mar 24, 2026	Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension i

CVE-2026-40103MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with o
CVE-2026-35602MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforceme
CVE-2026-35601MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the
CVE-2026-35600MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which al
CVE-2026-35599MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval
CVE-2026-35598MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user
CVE-2026-35597MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailed
CVE-2026-35596MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label ti
CVE-2026-35595HigApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive
CVE-2026-35594MedApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a
CVE-2026-34727HigApr 10, 2026
affected < 2.3.0fixed 2.3.0
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC ema
CVE-2026-33700Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can
CVE-2026-33680Mar 24, 2026
affected < 2.2.2fixed 2.2.2
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks li
CVE-2026-33679Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An at
CVE-2026-33678Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified i
CVE-2026-33677Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the proje
CVE-2026-33676Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on thos
CVE-2026-33675Mar 24, 2026
affected < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user trig
CVE-2026-33668Mar 24, 2026
affected >= 0.18.0, < 2.2.1fixed 2.2.1
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — A
CVE-2026-33474Mar 24, 2026
affected >= 1.0.0-rc0, < 2.2.0fixed 2.2.0
Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension i

Page 1 of 2