code.vikunja.io/api (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package code.vikunja.io/api, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (32)
CVE-2026-28268 — CVSS 9.8 (critical): Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the…
CVE-2026-27575 — CVSS 9.1 (critical): Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords…
CVE-2026-35595 — CVSS 8.3 (high): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139…
CVE-2026-33678 — CVSS 8.1 (high): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by…
CVE-2026-33668 — CVSS 8.1 (high): Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account…
CVE-2026-33316 — CVSS 8.1 (high): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows…
CVE-2026-33680 — CVSS 7.5 (high): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link…
CVE-2026-34727 — CVSS 7.4 (high): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without…
CVE-2026-27616 — CVSS 7.3 (high): Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as…
CVE-2026-27819 — CVSS 7.2 (high): Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in…
CVE-2026-35594 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims…
CVE-2026-35599 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that…
CVE-2026-33474 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image…
CVE-2026-33676 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates…
CVE-2026-33677 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks`…
CVE-2026-33679 — CVSS 6.4 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in…
CVE-2026-33675 — CVSS 6.4 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and…
CVE-2026-27116 — CVSS 6.1 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in…
CVE-2026-35597 — CVSS 5.9 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional…
CVE-2026-33473 — CVSS 5.7 (medium): Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has…
CVE-2026-25935 — CVSS 5.4 (medium): Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the…
CVE-2026-33312 — CVSS 5.4 (medium): Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE…
CVE-2026-35600 — CVSS 5.4 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax…
CVE-2026-35602 — CVSS 5.4 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the…
CVE-2026-29794 — CVSS 5.3 (medium): Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users…
CVE-2026-33700 — CVSS 4.9 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share`…
CVE-2026-35598 — CVSS 4.3 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch…
CVE-2026-40103 — CVSS 4.3 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project…
CVE-2026-33315 — CVSS 4.3 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic…
CVE-2026-33313 — CVSS 4.3 (medium): Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by…
CVE-2026-35596 — CVSS 4.3 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator…
CVE-2026-35601 — CVSS 4.1 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries…