pkg:Go/code.vikunja.io/api

All known vulnerabilities

• CRITICAL9.8CVE-2026-28268Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
  from 0
• CRITICAL9.8CVE-2026-28268Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
  from 0, <= 0.24.6
• CRITICAL9.1CVE-2026-27575Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
  from 0
• CRITICAL9.1Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
  from 0, <= 0.24.6
• HIGH8.3Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api
  from 0, < 2.3.0
• HIGH8.3Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api
  from 0
• HIGH8.1Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api
  from 0, < 2.2.1
• HIGH8.1Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api
  from 0
• HIGH8.1Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api
  from 0, <= 2.1.0
• HIGH8.1Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api
  from 0
• HIGH7.5Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
  from 0, < 2.2.2
• HIGH7.5Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
  from 0
• HIGH7.4Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
  from 0, < 2.3.0
• HIGH7.3Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api
  from 0
• HIGH7.3Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api
  from 0, <= 0.24.6
• HIGH7.2Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api
  from 0, <= 0.24.6
• HIGH7.2Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api
  from 0
• MEDIUM6.5Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
  from 0, < 2.3.0
• MEDIUM6.5Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
  from 0, < 2.3.0
• MEDIUM6.5Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api
  from 0, < 2.2.1
• MEDIUM6.5Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api
  from 0
• MEDIUM6.5Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
  from 0
• MEDIUM6.5Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
  from 0, < 2.2.1
• MEDIUM6.5Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api
  >= 1.0.0-rc0, < 2.2.0
• MEDIUM6.5Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api
  from 0
• MEDIUM6.4Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
  from 0
• MEDIUM6.4Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
  from 0, < 2.2.1
• MEDIUM6.4Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api
  from 0, < 2.2.1
• MEDIUM6.4Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api
  from 0
• MEDIUM6.1Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
  from 0, <= 0.24.6
• MEDIUM6.1Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
  from 0
• MEDIUM5.9Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
  from 0, < 2.3.0
• MEDIUM5.7Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
  from 0
• MEDIUM5.7Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
  >= 0.13
• MEDIUM5.4Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
  from 0, < 2.3.0
• MEDIUM5.4Vikunja has File Size Limit Bypass via Vikunja Import
  from 0, < 2.3.0
• MEDIUM5.4Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
  from 0, < 2.3.0
• MEDIUM5.3Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api
  from 0
• MEDIUM5.3Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api
  >= 0.8, < 2.2.0
• MEDIUM4.3Vikunja Missing Authorization on CalDAV Task Read
  from 0, < 2.3.0
• MEDIUM4.3Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
  from 0, < 2.3.0
• MEDIUM4.1Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api
  from 0, < 2.3.0
• MEDIUM4.1Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api
  from 0
• —Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api
  from 0, < 2.2.1
• —Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api
  from 0
• —Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api
  >= 0.18.0
• —Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api
  >= 0.18.0, < 2.2.1
• —Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api
  from 0, <= 2.1.0
• —Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api
  from 0
• —Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api
  from 0, <= 2.1.0
• —Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api
  from 0
• —Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api
  >= 0.20.2
• —Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api
  >= 0.20.2, < 2.2.0
• —Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api
  from 0, <= 0.24.6
• —Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api
  from 0