pkg:Go/code.vikunja.io/api

55 total CVEsCRITICAL4HIGH13MEDIUM26

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2026-28268Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
    from 0
  • CRITICAL9.8CVE-2026-28268Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
    from 0, <= 0.24.6
  • CRITICAL9.1CVE-2026-27575Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
    from 0
  • CRITICAL9.1CVE-2026-27575Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
    from 0, <= 0.24.6
  • HIGH8.3CVE-2026-35595Vikunja vulnerable to Privilege Escalation via Project Reparenting
    from 0, < 2.3.0
  • HIGH8.3CVE-2026-35595Vikunja vulnerable to Privilege Escalation via Project Reparenting
    from 0
  • HIGH8.1CVE-2026-33678Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
    from 0, < 2.2.1
  • HIGH8.1CVE-2026-33678Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
    from 0
  • HIGH8.1CVE-2026-33316Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
    from 0, <= 2.1.0
  • HIGH8.1CVE-2026-33316Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
    from 0
  • HIGH7.5CVE-2026-33680Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
    from 0, < 2.2.2
  • HIGH7.5CVE-2026-33680Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
    from 0
  • HIGH7.4CVE-2026-34727Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
    from 0, < 2.3.0
  • HIGH7.3CVE-2026-27616Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api
    from 0
  • HIGH7.3CVE-2026-27616Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api
    from 0, <= 0.24.6
  • HIGH7.2CVE-2026-27819Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api
    from 0, <= 0.24.6
  • HIGH7.2CVE-2026-27819Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api
    from 0
  • MEDIUM6.5CVE-2026-35599Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
    from 0, < 2.3.0
  • MEDIUM6.5CVE-2026-35594Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
    from 0, < 2.3.0
  • MEDIUM6.5CVE-2026-33677Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
    from 0, < 2.2.1
  • MEDIUM6.5CVE-2026-33677Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
    from 0
  • MEDIUM6.5CVE-2026-33676Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
    from 0
  • MEDIUM6.5CVE-2026-33676Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
    from 0, < 2.2.1
  • MEDIUM6.5CVE-2026-33474Vikunja Affected by DoS via Image Preview Generation
    >= 1.0.0-rc0, < 2.2.0
  • MEDIUM6.5CVE-2026-33474Vikunja Affected by DoS via Image Preview Generation
    from 0
  • MEDIUM6.4CVE-2026-33679Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
    from 0
  • MEDIUM6.4CVE-2026-33679Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
    from 0, < 2.2.1
  • MEDIUM6.4CVE-2026-33675Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
    from 0, < 2.2.1
  • MEDIUM6.4CVE-2026-33675Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
    from 0
  • MEDIUM6.1CVE-2026-27116Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
    from 0, <= 0.24.6
  • MEDIUM6.1CVE-2026-27116Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
    from 0
  • MEDIUM5.9CVE-2026-35597Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
    from 0, < 2.3.0
  • MEDIUM5.7CVE-2026-33473Vikunja has TOTP Reuse During Validity Window
    from 0
  • MEDIUM5.7CVE-2026-33473Vikunja has TOTP Reuse During Validity Window
    >= 0.13
  • MEDIUM5.4CVE-2026-40103Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
    from 0, < 2.3.0
  • MEDIUM5.4CVE-2026-35602Vikunja has File Size Limit Bypass via Vikunja Import
    from 0, < 2.3.0
  • MEDIUM5.4CVE-2026-35600Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
    from 0, < 2.3.0
  • MEDIUM5.3CVE-2026-29794Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
    from 0
  • MEDIUM5.3CVE-2026-29794Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
    >= 0.8, < 2.2.0
  • MEDIUM4.3CVE-2026-35598Vikunja Missing Authorization on CalDAV Task Read
    from 0, < 2.3.0
  • MEDIUM4.3CVE-2026-35596Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
    from 0, < 2.3.0
  • MEDIUM4.1CVE-2026-35601Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
    from 0, < 2.3.0
  • MEDIUM4.1CVE-2026-35601Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
    from 0
  • CVE-2026-33700Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
    from 0, < 2.2.1
  • CVE-2026-33700Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
    from 0
  • CVE-2026-33668Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
    >= 0.18.0
  • CVE-2026-33668Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
    >= 0.18.0, < 2.2.1
  • CVE-2026-33315Vikunja has a 2FA Bypass via Caldav Basic Auth
    from 0, <= 2.1.0
  • CVE-2026-33315Vikunja has a 2FA Bypass via Caldav Basic Auth
    from 0
  • CVE-2026-33313Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
    from 0, <= 2.1.0
  • CVE-2026-33313Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
    from 0
  • CVE-2026-33312Vikunja read-only users can delete project background images via broken object-level authorization
    >= 0.20.2
  • CVE-2026-33312Vikunja read-only users can delete project background images via broken object-level authorization
    >= 0.20.2, < 2.2.0
  • CVE-2026-25935Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api
    from 0, <= 0.24.6
  • CVE-2026-25935Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api
    from 0