CVE Tools

go-vikunja

Cloud & SaaSoss-project

35

Cumulative CVEs

3

Monthly snapshots

#64

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting go-vikunja.

CVE-2026-40103Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds4.3Apr 10, 2026
CVE-2026-35602Vikunja has a File Size Limit Bypass via Vikunja Import5.4Apr 10, 2026
CVE-2026-35601Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output4.1Apr 10, 2026
CVE-2026-35600Vikunja has HTML Injection via Task Titles in Overdue Email Notifications5.4Apr 10, 2026
CVE-2026-35599Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler6.5Apr 10, 2026
CVE-2026-35598Vikunja has Missing Authorization on CalDAV Task Read4.3Apr 10, 2026
CVE-2026-35597Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout5.9Apr 10, 2026
CVE-2026-35596Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug4.3Apr 10, 2026
CVE-2026-35595Vikunja Affected by Privilege Escalation via Project Reparenting8.3Apr 10, 2026
CVE-2026-35594Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade6.5Apr 10, 2026
CVE-2026-34727Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path7.4Apr 10, 2026
CVE-2026-33700Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion4.9Mar 24, 2026
CVE-2026-33680Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation7.5Mar 24, 2026
CVE-2026-33679Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections6.4Mar 24, 2026
CVE-2026-33678Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion8.1Mar 24, 2026