Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Summary TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads a different attachment that may belong to a task in another project. This allows...

CVE-2026-33680

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...

EUVD-2026-13708

Vikunja read-only users can delete project background images via broken object-level authorization...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja from 0.20.2 to 2.2.0 contained security vulnerabilities. The vulnerability stemmed from a typo in the endpoint DELETE /api/v1/projects/:project/background; the permission being checked was CanRead...

PT-2022-36781 · Oracle · Java.Base

Name of the Vulnerable Software and Affected Versions: java.base affected versions not specified Description: A security exception crash has been reported. The crash involves the com.ctc.wstx.dtd.FullDTDReader.readContentSpec function, java.base/java.lang.Module.canRead, and...