Security: go-vikunja/vikunja
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share DeletionGHSA-f95f-77jx-fcjc published
Mar 23, 2026 by kolaenteModerate -
Disabled/Locked User Accounts Can Still Authenticate via API Tokens, CalDAV, and OpenID ConnectGHSA-94xm-jj8x-3cr4 published
Mar 23, 2026 by kolaenteHigh -
SSRF via OpenID Connect Avatar Download Bypasses Webhook SSRF ProtectionsGHSA-g9xj-752q-xh63 published
Mar 23, 2026 by kolaenteModerate -
SSRF via Todoist/Trello Migration File Attachment URLs Allows Reading Internal Network ResourcesGHSA-g66v-54v9-52pr published
Mar 23, 2026 by kolaenteModerate -
Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task ReadGHSA-8cmm-j6c4-rr8v published
Mar 23, 2026 by kolaenteModerate -
Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via APIGHSA-7c2g-p23p-4jg3 published
Mar 23, 2026 by kolaenteModerate -
IDOR in Task Attachment ReadOne Allows Cross-Project File Access and DeletionGHSA-jfmm-mjcp-8wq2 published
Mar 23, 2026 by kolaenteHigh -
Link Share Hash Disclosure via ReadAll Endpoint Enables Permission EscalationGHSA-8hp8-9fhr-pfm9 published
Mar 23, 2026 by kolaenteHigh -
Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDORGHSA-2pv8-4c52-mf8j published
Mar 23, 2026 by kolaenteCritical -
Any frontend XSS escalates to Remote Code Execution due to nodeIntegration in Vikunja DesktopGHSA-xh67-63q3-hf7g published
Mar 20, 2026 by kolaenteHigh
Learn more about advisories related to go-vikunja/vikunja in the GitHub Advisory Database