Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

go-vikunja — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting go-vikunja. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Vikunja is an open-source, self-hosted task management application designed for personal and team productivity, written in Go with a Vue.js frontend. Security audits have identified thirty-five Common Vulnerabilities and Exposures (CVEs) associated with the platform, primarily stemming from its web interface and API endpoints. Historically, these flaws frequently involve Cross-Site Scripting (XSS), SQL injection, and improper access control mechanisms that allow privilege escalation. Several incidents highlight risks related to unauthenticated remote code execution and insecure direct object references, which can expose sensitive user data or allow attackers to manipulate task records. The project’s architecture, while modern, has demonstrated vulnerabilities in input validation and session management. These recurring issues underscore the importance of rigorous code review and timely patching for administrators deploying Vikunja in production environments, as the cumulative risk profile suggests potential for significant data breaches if left unaddressed.

Top products by go-vikunja: vikunja
CVE IDTitleCVSSSeverityPublished
CVE-2026-40103 Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds — vikunjaCWE-836 4.3 Medium2026-04-10
CVE-2026-35602 Vikunja has a File Size Limit Bypass via Vikunja Import — vikunjaCWE-770 5.4 Medium2026-04-10
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output — vikunjaCWE-93 4.1 Medium2026-04-10
CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications — vikunjaCWE-79 5.4 Medium2026-04-10
CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler — vikunjaCWE-407 6.5 Medium2026-04-10
CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read — vikunjaCWE-862 4.3 Medium2026-04-10
CVE-2026-35597 Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout — vikunjaCWE-307 5.9 Medium2026-04-10
CVE-2026-35596 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug — vikunjaCWE-863 4.3 Medium2026-04-10
CVE-2026-35595 Vikunja Affected by Privilege Escalation via Project Reparenting — vikunjaCWE-269 8.3 High2026-04-10
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade — vikunjaCWE-613 6.5 Medium2026-04-10
CVE-2026-34727 Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path — vikunjaCWE-287 7.4 High2026-04-10
CVE-2026-33700 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion — vikunjaCWE-639 2.7 -2026-03-24
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation — vikunjaCWE-285 7.5 High2026-03-24
CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections — vikunjaCWE-918 6.4 Medium2026-03-24
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion — vikunjaCWE-639 8.1 High2026-03-24
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API — vikunjaCWE-200 6.5 Medium2026-03-24
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read — vikunjaCWE-863 6.5 Medium2026-03-24
CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources — vikunjaCWE-918 6.4 Medium2026-03-24
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect — vikunjaCWE-285 4.4 -2026-03-24
CVE-2026-33474 Vikunja Affected by DoS via Image Preview Generation — vikunjaCWE-400 6.5 Medium2026-03-24
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window — vikunjaCWE-287 5.7 Medium2026-03-24
CVE-2026-33336 Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation — vikunjaCWE-94 9.6 -2026-03-24
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal — vikunjaCWE-939 6.1 -2026-03-24
CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration — vikunjaCWE-94 9.0 -2026-03-24
CVE-2026-33316 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement — vikunjaCWE-284 8.1 High2026-03-24
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth — vikunjaCWE-288 5.3 -2026-03-24
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments — vikunjaCWE-639 4.3 -2026-03-24
CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization — vikunjaCWE-863 4.3 -2026-03-20
CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers — vikunjaCWE-807 5.3 Medium2026-03-20
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse — vikunjaCWE-459 9.8 Critical2026-02-27

This page lists every published CVE security advisory associated with go-vikunja. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.