Lucene search
+L

820 matches found

Snyk
Snyk
added 2026/03/25 9:17 p.m.2 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DownloadImage function when processing user avatar URLs from OpenID Connect authentication. An attacker can cause the server to make arbitrary HTTP requests to internal or cloud metadata endpoint...

7.4CVSS6.5AI score0.00332EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 9:17 p.m.2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the ReadOne process. An attacker can gain unauthorized access to and delete files belonging to other users by supplying their own accessible task ID along with a target attachment...

8.6CVSS6.4AI score0.00265EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/25 9:17 p.m.4 views

EUVD-2026-14921

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion...

8.1CVSS5.8AI score0.00265EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/25 9:17 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the ReadAll process. An attacker can obtain plaintext BasicAuth credentials intended for external webhook authentication by accessing the API with only read permissions to a project. Remediation Upgrade...

7.1CVSS6.4AI score0.00297EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/25 9:17 p.m.4 views

EUVD-2026-14920

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API...

6.5CVSS5.8AI score0.00297EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/25 9:17 p.m.6 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the ReadAll process. An attacker can obtain plaintext BasicAuth credentials intended for external webhook authentication by accessing the API with only read permissions to a project. Remediation Upgrade...

7.1CVSS5.9AI score0.00297EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 9:17 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the addRelatedTasksToTasks function. An attacker can obtain unauthorized access to sensitive task metadata from projects they do not have permission to view by reading tasks that have cross-project relations...

7.1CVSS6.4AI score0.0033EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/25 9:17 p.m.6 views

EUVD-2026-14917

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read...

6.5CVSS5.8AI score0.0033EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/25 9:14 p.m.2 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DownloadFile and DownloadFileWithHeaders functions. An attacker can cause the server to make arbitrary HTTP requests to internal network resources by supplying crafted URLs during the migration...

6.4CVSS6AI score0.00272EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 9:14 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DownloadFile and DownloadFileWithHeaders functions. An attacker can cause the server to make arbitrary HTTP requests to internal network resources by supplying crafted URLs during the migration...

6.4CVSS6.5AI score0.00272EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 9:10 p.m.4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the authentication process. An attacker can maintain unauthorized access to resources by using valid API tokens, CalDAV credentials, or OpenID Connect authentication even after the account has been disabled or...

8.1CVSS6.2AI score0.00453EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/03/25 6:31 p.m.10 views

@aaquib/whatsasenanpm (=1.3.5), @alexandersen01/sharepoint-mcp-server-better (=0.3.23) +86 more potentially affected by CVE-2026-26832 via node-tesseract-ocr (>=0.1.0 <=2.2.1)

node-tesseract-ocr NPM version =0.1.0, =1.0.10, =0.0.1, =2.3.50, =2.0.0, =0.0.1, =0.0.2, =1.0.0, =0.0.1, =0.0.1, =0.0.4 and more Source cves: CVE-2026-26832 Source advisory: OSV:GHSA-8J44-735H-W4W2...

9.8CVSS7.2AI score0.01706EPSS
Exploits3
OSV
OSV
added 2026/03/25 6:31 p.m.5 views

GHSA-8J44-735H-W4W2 node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS5.9AI score0.01706EPSS
Exploits3References4
NVD
NVD
added 2026/03/25 5:16 p.m.6 views

CVE-2026-23979

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Softwebmedia Gyan Elements gyan-elements allows Reflected XSS.This issue affects Gyan Elements: from n/a through = 2.2.1...

7.1CVSS0.00175EPSS
Exploits0References1
NVD
NVD
added 2026/03/24 4:16 p.m.5 views

CVE-2026-33677

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

6.5CVSS0.00297EPSS
Exploits1References2
NVD
NVD
added 2026/03/24 4:16 p.m.7 views

CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

6.9CVSS0.00205EPSS
Exploits0References2
NVD
NVD
added 2026/03/24 4:16 p.m.5 views

CVE-2026-33678

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...

8.1CVSS0.00265EPSS
Exploits1References2
NVD
NVD
added 2026/03/24 4:16 p.m.3 views

CVE-2026-33679

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their...

7.4CVSS0.00332EPSS
Exploits1References3
NVD
NVD
added 2026/03/24 4:16 p.m.10 views

CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

6.5CVSS0.0033EPSS
Exploits1References4
NVD
NVD
added 2026/03/24 4:16 p.m.5 views

CVE-2026-33473

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

5.7CVSS0.00258EPSS
Exploits1References3
Rows per page
Query Builder