CVE-2026-33474— Vikunja Affected by DoS via Image Preview Generation

CVSS 6.5 · Medium EPSS 0.05% · P17 Updated Mar 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-33474

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Vikunja Affected by DoS via Image Preview Generation

Source: NVD (National Vulnerability Database)

Vulnerability Description

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

未加控制的资源消耗(资源穷尽)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Vikunja 资源管理错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 1.0.0-rc0版本至2.2.0之前版本存在资源管理错误漏洞，该漏洞源于预览生成期间无限制的图像解码和调整大小，可能导致CPU和内存耗尽。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
go-vikunja	vikunja	>= 1.0.0-rc0, < 2.2.0	-

II. Public POCs for CVE-2026-33474

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-33474

请登录查看更多情报信息。

Vikunja 2.2.0: Ten security fixes, Gantt overhaul, and task duplicationx_refsource_MISC
DoS via Image Preview Generation · Advisory · go-vikunja/vikunja · GitHubx_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2026-33474

Same Patch Batch · go-vikunja · 2026-03-24 · 16 CVEs total

CVE-2026-33316	8.1 HIGH	Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablem
CVE-2026-33678	8.1 HIGH	Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
CVE-2026-33680	7.5 HIGH	Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission E
CVE-2026-33677	6.5 MEDIUM	Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
CVE-2026-33676	6.5 MEDIUM	Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorizatio
CVE-2026-33675	6.4 MEDIUM	Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Int
CVE-2026-33679	6.4 MEDIUM	Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections
CVE-2026-33473	5.7 MEDIUM	Vikunja has TOTP Reuse During Validity Window
CVE-2026-33315		Vikunja has a 2FA Bypass via Caldav Basic Auth
CVE-2026-33313		Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
CVE-2026-33335		Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openEx
CVE-2026-33334		Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegratio
CVE-2026-33336		Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation
CVE-2026-33668		Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and O
CVE-2026-33700		Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Projec

IV. Related Vulnerabilities

Same product: vikunja

Same vendor: go-vikunja

Same weakness: CWE-400

V. Comments for CVE-2026-33474

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-33474— Vikunja Affected by DoS via Image Preview Generation

I. Basic Information for CVE-2026-33474

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-33474

III. Intelligence Information for CVE-2026-33474

Same Patch Batch · go-vikunja · 2026-03-24 · 16 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-33474

Leave a comment