Lucene search
+L

163 matches found

OSV
OSV
added 3 days ago3 views

CVE-2026-52840 Easy!Appointments has server-side request forgery in CalDAV connection test that exposes the deployment's internal network

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, Caldav::connecttoserver at application/controllers/Caldav.php:60 hands the request's caldavurl to a Guzzle REPORT call without scheme or host validation. A logged-in backend user admin, provider, or secretary...

2.7CVSS6.2AI score0.00186EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-52840 Easy!Appointments has server-side request forgery in CalDAV connection test that exposes the deployment's internal network

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, Caldav::connecttoserver at application/controllers/Caldav.php:60 hands the request's caldavurl to a Guzzle REPORT call without scheme or host validation. A logged-in backend user admin, provider, or secretary...

2.7CVSS0.00186EPSS
Exploits0References2
CVE
CVE
added 3 days ago9 views

CVE-2026-52840

Affected software: Easy!Appointments (self-hosted) prior to 1.6.0. Vulnerability: Server-Side Request Forgery (SSRF) in the CalDAV connection test. In Caldav::connect_to_server (application/controllers/Caldav.php:60), the request’s caldav_url is handed to a Guzzle REPORT call without proper schem...

2.7CVSS6.2AI score0.00186EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.17 views

PT-2026-42364

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabilit...

4.1CVSS5.8AI score0.00196EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/04/14 7:22 p.m.7 views

CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

4.3CVSS5.9AI score0.00216EPSS
Exploits1References1
NVD
NVD
added 2026/04/10 5:17 p.m.6 views

CVE-2026-35601

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

4.1CVSS0.00196EPSS
Exploits1References3
NVD
NVD
added 2026/04/10 5:17 p.m.6 views

CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

4.3CVSS0.00216EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/10 4:8 p.m.25 views

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

4.1CVSS0.00196EPSS
Exploits1References3
OSV
OSV
added 2026/04/10 4:8 p.m.4 views

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

4.1CVSS6AI score0.00196EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/04/10 4:8 p.m.2 views

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

4.1CVSS5.9AI score0.00196EPSS
Exploits1References3
CVE
CVE
added 2026/04/10 4:4 p.m.13 views

CVE-2026-35598

Vikunja CalDAV Read vulnerability (CVE-2026-35598): CalDAV GetResource/GetResourcesByList fetch tasks by UID without enforcing authorization, allowing any authenticated CalDAV user who knows or guesses a task UID to read full task data from any project. Affects Vikunja before v2.3.0; fixed in v2....

4.3CVSS5.9AI score0.00216EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/10 4:4 p.m.4 views

CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

4.3CVSS6AI score0.00216EPSS
Exploits1References6
Snyk
Snyk
added 2026/04/10 3:35 p.m.4 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via improper handling of user-supplied input in the ParseTodos function. An attacker can inject arbitrary iCalendar properties by including CRLF characters in task titles or other fields, which are then concatenated into...

5.1CVSS5.7AI score0.00196EPSS
Exploits1References2
OSV
OSV
added 2026/04/10 3:35 p.m.9 views

GHSA-2G7H-7RQR-9P4R Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...

4.1CVSS5.9AI score0.00196EPSS
Exploits1References5
Snyk
Snyk
added 2026/04/10 3:34 p.m.7 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the GetResource and GetResourcesByList processes. An attacker can access sensitive task data from projects they do not have permission to view by making authenticated CalDAV requests with a known or guessed task...

5.3CVSS5.8AI score0.00216EPSS
Exploits1References2
OSV
OSV
added 2026/04/10 3:34 p.m.5 views

GHSA-48CH-P4GQ-X46X Vikunja Missing Authorization on CalDAV Task Read

Summary The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the...

4.3CVSS5.9AI score0.00216EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/04/10 3:34 p.m.7 views

Vikunja Missing Authorization on CalDAV Task Read

Summary The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the...

4.3CVSS5.9AI score0.00216EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.12 views

PT-2026-31949

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description The CalDAV GetResource and GetResourcesByList methods retrieve tasks by UID from the database without verifying the authenticated user's access to the task's project. This allows any authenticated...

4.3CVSS5.9AI score0.00216EPSS
Exploits1References9
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.10 views

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.3.0 contained security vulnerabilities. These vulnerabilities stemmed from the CalDAV method, which did not verify the user’s access rights to task items when retrieving tasks by UID. This could allow...

4.3CVSS5.8AI score0.00216EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.4 views

SUSE CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References3
Rows per page
Query Builder