CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

CVE-2026-35601

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

CVE-2025-59045 Stalwart vulnerable to Memory Exhaustion via CalDAV Event Expansion

Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through...

stalwart 安全漏洞

stalwart is a versatile mail and collaboration server open-sourced by Stalwart Labs. A security vulnerability exists in stalwart versions prior to 0.12.0 through 0.13.3, which stems from a memory exhaustion issue in the CalDAV implementation that could lead to a denial of service attack...

PT-2025-37076

Name of the Vulnerable Software and Affected Versions: Stalwart versions 0.12.0 through 0.13.2 Description: Stalwart is a mail and collaboration server. A memory exhaustion vulnerability exists in Stalwart’s CalDAV implementation that allows authenticated attackers to cause a denial-of-service by...

CVE-2011-3253

CalDAV in Apple iOS before 5 does not validate X.509 certificates for SSL sessions, which allows man-in-the-middle attackers to spoof calendar servers and obtain sensitive information via an arbitrary certificate...