code.vikunja.io/api
Go11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting code.vikunja.io/apipage 1 of 1
- CVE-2026-34727HIGHCVSS 7.4EG 7.4✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with …
- CVE-2026-35594MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without an…
- CVE-2026-35595HIGHCVSS 8.3EG 8.32026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vik…
- CVE-2026-35596MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task associatio…
- CVE-2026-35597MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/…
- CVE-2026-35598MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task…
- CVE-2026-35599MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a…
- CVE-2026-35600MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldm…
- CVE-2026-35601MEDIUMCVSS 4.1EG 4.12026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task tit…
- CVE-2026-35602MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file c…
- CVE-2026-40103MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.02026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a…
Check whether code.vikunja.io/api is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for code.vikunja.io/api CVEs against the assets you own.
Start Free Scan →