| CVE-2026-40103 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds |
| CVE-2026-35602 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has File Size Limit Bypass via Vikunja Import |
| CVE-2026-35601 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api |
| CVE-2026-35600 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications |
| CVE-2026-35599 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler |
| CVE-2026-35598 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja Missing Authorization on CalDAV Task Read |
| CVE-2026-35597 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout |
| CVE-2026-35596 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug |
| CVE-2026-35595 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api |
| CVE-2026-35594 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade |
| CVE-2026-34727 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path |
| CVE-2026-33700 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api |
| CVE-2026-33680 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api |
| CVE-2026-33679 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api |
| CVE-2026-33678 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api |
| CVE-2026-33677 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api |
| CVE-2026-33676 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api |
| CVE-2026-33675 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api |
| CVE-2026-33668 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api |
| CVE-2026-33474 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api |
| CVE-2026-33473 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api |
| CVE-2026-33316 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api |
| CVE-2026-33315 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api |
| CVE-2026-33313 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api |
| CVE-2026-33312 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api |
| CVE-2026-29794 |
unknown |
— |
— |
|
|
|
2mo ago |
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api |
| CVE-2026-28268 |
unknown |
— |
— |
|
|
|
3mo ago |
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api |
| CVE-2026-27819 |
unknown |
— |
— |
|
|
|
3mo ago |
Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api |
| CVE-2026-27616 |
unknown |
— |
— |
|
|
|
3mo ago |
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api |
| CVE-2026-27575 |
unknown |
— |
— |
|
|
|
3mo ago |
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api |
| CVE-2026-27116 |
unknown |
— |
— |
|
|
|
3mo ago |
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api |
| CVE-2026-25935 |
unknown |
— |
— |
|
|
|
4mo ago |
Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api |