UNKNOWN Go
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api
GO-2026-4855 · GHSA-2pv8-4c52-mf8j
Published · Modified
Description
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.
References
- ADVISORY https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j
- WEB https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
- WEB https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
- WEB https://vikunja.io/changelog/vikunja-v2.2.2-was-released
Ready to move
Start Securing
Free, no credit card | First findings in minutes