CVE-2026-40103

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom

4.3MEDIUM

CVE-2026-35602

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker

5.4MEDIUM

CVE-2026-35601

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO

4.1MEDIUM

CVE-2026-35600

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown li

5.4MEDIUM

CVE-2026-35599

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n)

6.5MEDIUM

CVE-2026-35598

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList meth

4.3MEDIUM

CVE-2026-35597

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-f

5.9MEDIUM

CVE-2026-35596

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL opera

4.3MEDIUM

CVE-2026-35595

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissi

8.3HIGH

CVE-2026-35594

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareF

6.5MEDIUM

CVE-2026-34727

< 2.3.0

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token

7.4HIGH

CVE-2026-33700

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shar

4.9MEDIUM

CVE-2026-33680

< 2.2.2

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll() method allows

7.5HIGH

CVE-2026-33679

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in `pkg/utils

6.4MEDIUM

CVE-2026-33678

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne() queries attachm

8.1HIGH

CVE-2026-33677

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhook

6.5MEDIUM

CVE-2026-33676

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it pop

6.5MEDIUM

CVE-2026-33675

< 2.2.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFi

6.4MEDIUM

CVE-2026-33668

>= 0.18.0 and < 2.2.1

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user

8.1HIGH

CVE-2026-33474

>= 1.0.0 and < 2.2.0

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounde

6.5MEDIUM

CVE-2026-33473

>= 0.13 and < 2.2.1

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that

5.7MEDIUM

CVE-2026-33336

>= 0.21.0 and < 2.2.2

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja

8.8HIGH

CVE-2026-33335

>= 0.21.0 and < 2.2.2

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja

8.0HIGH

CVE-2026-33334

>= 0.21.0 and < 2.2.2

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja

9.6CRITICAL

CVE-2026-33316

< 2.2.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic

8.1HIGH

CVE-2026-33315

< 2.2.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Bas

4.3MEDIUM

CVE-2026-33313

< 2.2.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task co

4.3MEDIUM

CVE-2026-33312

>= 0.20.2 and < 2.2.0

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE

5.4MEDIUM

CVE-2026-29794

>= 0.8 and < 2.2.0

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticate

5.3MEDIUM

CVE-2026-28268

< 2.1.0

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists

9.8CRITICAL

CVE-2026-27819

< 2.0.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/

7.2HIGH

CVE-2026-27616

< 2.0.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG

7.3HIGH

CVE-2026-27575

< 2.0.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak p

9.1CRITICAL

CVE-2026-27116

< 2.0.0

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability e

6.1MEDIUM

CVE-2026-25935

< 1.1.0

Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtm

5.4MEDIUM