VYPR
Vendor

Vikunja

Products
1
CVEs
14
Across products
14
Status
Private

Products

1

Recent CVEs

14
  • CVE-2026-35595HigApr 10, 2026
    risk 0.47cvss 8.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive…

  • CVE-2026-34727HigApr 10, 2026
    risk 0.41cvss 7.4epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC…

  • CVE-2026-35599MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval…

  • CVE-2026-35594MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When…

  • CVE-2026-35597MedApr 10, 2026
    risk 0.31cvss 5.9epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls…

  • CVE-2026-35602MedApr 10, 2026
    risk 0.28cvss 5.4epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size…

  • CVE-2026-35600MedApr 10, 2026
    risk 0.28cvss 5.4epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which…

  • CVE-2026-40103MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with…

  • CVE-2026-35598MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV…

  • CVE-2026-35596MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label…

  • CVE-2026-35601MedApr 10, 2026
    risk 0.20cvss 4.1epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the…

  • CVE-2026-33336Mar 24, 2026
    risk 0.00cvss epss 0.01

    Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can…

  • CVE-2026-33335Mar 24, 2026
    risk 0.00cvss epss 0.00

    Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting.…

  • CVE-2026-33334Mar 24, 2026
    risk 0.00cvss epss 0.00

    Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site…