Browse all 35 CVE security advisories affecting go-vikunja. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Vikunja is an open-source, self-hosted task management application designed for personal and team productivity, written in Go with a Vue.js frontend. Security audits have identified thirty-five Common Vulnerabilities and Exposures (CVEs) associated with the platform, primarily stemming from its web interface and API endpoints. Historically, these flaws frequently involve Cross-Site Scripting (XSS), SQL injection, and improper access control mechanisms that allow privilege escalation. Several incidents highlight risks related to unauthenticated remote code execution and insecure direct object references, which can expose sensitive user data or allow attackers to manipulate task records. The project’s architecture, while modern, has demonstrated vulnerabilities in input validation and session management. These recurring issues underscore the importance of rigorous code review and timely patching for administrators deploying Vikunja in production environments, as the cumulative risk profile suggests potential for significant data breaches if left unaddressed.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27819 | Vikunja has Path Traversal in CLI Restore — vikunjaCWE-22 | 7.2 | High | 2026-02-25 |
| CVE-2026-27616 | Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure — vikunjaCWE-79 | 7.3 | High | 2026-02-25 |
| CVE-2026-27575 | Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change — vikunjaCWE-521 | 9.1 | Critical | 2026-02-25 |
| CVE-2026-27116 | Vikunja has Reflected HTML Injection via filter Parameter in Projects Module — vikunjaCWE-79 | 6.1 | Medium | 2026-02-25 |
| CVE-2026-25935 | Vikunja Affected by XSS Via Task Preview — vikunjaCWE-80 | 5.4AI | MediumAI | 2026-02-11 |
This page lists every published CVE security advisory associated with go-vikunja. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.