code.vikunja.io/api (go) security advisories

MEDIUM 4.1

Go

CVE-2026-35601

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Apr 10, 2026

HIGH 8.3

Go

CVE-2026-35595

Vikunja vulnerable to Privilege Escalation via Project Reparenting

Apr 10, 2026

UNKNOWN

Go

CVE-2026-35601

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api

May 20, 2026

UNKNOWN

Go

CVE-2026-35595

Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api

May 20, 2026

MEDIUM 5.4

Go

CVE-2026-40103

Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds

Apr 10, 2026

MEDIUM 5.4

Go

CVE-2026-35600

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Apr 10, 2026

MEDIUM 5.4

Go

CVE-2026-35602

Vikunja has File Size Limit Bypass via Vikunja Import

Apr 10, 2026

HIGH 7.4

Go

CVE-2026-34727

Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path

Apr 10, 2026

MEDIUM 6.5

Go

CVE-2026-35594

Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Apr 10, 2026

MEDIUM 6.5

Go

CVE-2026-35599

Vikunja has Algorithmic Complexity DoS in Repeating Task Handler

Apr 10, 2026

MEDIUM 4.3

Go

CVE-2026-35598

Vikunja Missing Authorization on CalDAV Task Read

Apr 10, 2026

MEDIUM 5.9

Go

CVE-2026-35597

Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout

Apr 10, 2026

MEDIUM 4.3

Go

CVE-2026-35596

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Apr 10, 2026

MEDIUM 6.4

Go

CVE-2026-33679

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download

Mar 25, 2026

HIGH 7.5

Go

CVE-2026-33680

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

Mar 25, 2026

CRITICAL 9.1

Go

GO-2026-4855

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33668

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Mar 25, 2026

UNKNOWN

Go

CVE-2026-33700

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Mar 25, 2026

MEDIUM 6.5

Go

CVE-2026-33676

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Mar 25, 2026

MEDIUM 6.4

Go

CVE-2026-33675

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

Mar 25, 2026

HIGH 8.1

Go

CVE-2026-33678

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Mar 25, 2026

MEDIUM 6.5

Go

CVE-2026-33677

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Mar 25, 2026

UNKNOWN

Go

CVE-2026-33675

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33700

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33677

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33680

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33679

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

GHSA-2pv8-4c52-mf8j

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33668

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33678

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

Mar 26, 2026

UNKNOWN

Go

CVE-2026-33676

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api

Mar 26, 2026

MEDIUM 6.5

Go

CVE-2026-33474

Vikunja Affected by DoS via Image Preview Generation

Mar 20, 2026

HIGH 8.1

Go

CVE-2026-33316

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Mar 20, 2026

UNKNOWN

Go

CVE-2026-33315

Vikunja has a 2FA Bypass via Caldav Basic Auth

Mar 20, 2026

UNKNOWN

Go

CVE-2026-33313

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

Mar 20, 2026

MEDIUM 5.7

Go

CVE-2026-33473

Vikunja has TOTP Reuse During Validity Window

Mar 20, 2026

UNKNOWN

Go

CVE-2026-33312

Vikunja read-only users can delete project background images via broken object-level authorization

Mar 20, 2026

MEDIUM 5.3

Go

CVE-2026-29794

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Mar 20, 2026

UNKNOWN

Go

CVE-2026-33473

Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-33474

Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-29794

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-33315

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-33313

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-33316

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

Mar 23, 2026

UNKNOWN

Go

CVE-2026-33312

Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api

Mar 23, 2026

CRITICAL 9.8

Go

CVE-2026-28268

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

Feb 28, 2026

UNKNOWN

Go

CVE-2026-28268

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

Mar 10, 2026

UNKNOWN

Go

CVE-2026-27575

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

Feb 27, 2026

CRITICAL 9.1

Go

CVE-2026-27575

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Feb 25, 2026

UNKNOWN

Go

CVE-2026-27819

Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

Feb 27, 2026

HIGH 7.2

Go

CVE-2026-27819

Vikunja has Path Traversal in CLI Restore

Feb 26, 2026

UNKNOWN

Go

CVE-2026-27116

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

Feb 27, 2026

MEDIUM 6.1

Go

CVE-2026-27116

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module

Feb 25, 2026

UNKNOWN

Go

CVE-2026-27616

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

Feb 27, 2026

HIGH 7.3

Go

CVE-2026-27616

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Feb 25, 2026

UNKNOWN

Go

CVE-2026-25935

Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

Feb 17, 2026

UNKNOWN

Go

CVE-2026-25935

Vikunja Vulnerable to XSS Via Task Preview

Feb 11, 2026

code.vikunja.io/api

Vulnerabilities

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja vulnerable to Privilege Escalation via Project Reparenting

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api

Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api

Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja has File Size Limit Bypass via Vikunja Import

Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path

Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Vikunja has Algorithmic Complexity DoS in Repeating Task Handler

Vikunja Missing Authorization on CalDAV Task Read

Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api

Vikunja Affected by DoS via Image Preview Generation

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

Vikunja has TOTP Reuse During Validity Window

Vikunja read-only users can delete project background images via broken object-level authorization

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

Vikunja has Path Traversal in CLI Restore

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

Vikunja Vulnerable to XSS Via Task Preview

Start Securing