Vulnerabilidades en go-vikunja
35 resultadosCVE-2026-33675MEDIUMVikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network ResourcesEPSS 0.3%CVE-2026-35596MEDIUMVikunja has Broken Access Control on Label Read via SQL Operator Precedence BugEPSS 0.3%CVE-2026-35594MEDIUMVikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgradeEPSS 0.3%CVE-2026-33678HIGHVikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and DeletionEPSS 0.3%CVE-2026-33473MEDIUMVikunja has TOTP Reuse During Validity WindowEPSS 0.3%CVE-2026-33313MEDIUMVikunja has an IDOR in Task Comments Allows Reading Arbitrary CommentsEPSS 0.3%CVE-2026-33335MEDIUMVikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternalEPSS 0.2%CVE-2026-25935HIGHVikunja Affected by XSS Via Task PreviewEPSS 0.2%CVE-2026-40103MEDIUMVikunja's Scoped API tokens with projects.background permission can delete project backgroundsEPSS 0.2%CVE-2026-27116MEDIUMVikunja has Reflected HTML Injection via filter Parameter in Projects ModuleEPSS 0.2%CVE-2026-35598MEDIUMVikunja has Missing Authorization on CalDAV Task ReadEPSS 0.2%CVE-2026-33312MEDIUMRead-only Vikunja users can delete project background images via broken object-level authorizationEPSS 0.2%CVE-2026-33700MEDIUMVikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share DeletionEPSS 0.2%CVE-2026-35601MEDIUMVikunja has an iCalendar Property Injection via CRLF in CalDAV Task OutputEPSS 0.2%CVE-2026-35600MEDIUMVikunja has HTML Injection via Task Titles in Overdue Email NotificationsEPSS 0.2%