5 matches found
CVE-2026-35596
CVE-2026-35596 affects Vikunja prior to 2.3.0. The function hasAccessToLabel contains a SQL operator precedence bug in the label-permission query, causing any authenticated user to read any label that has at least one task, regardless of project access. This exposes label titles, descriptions, co...
EUVD-2026-21420
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug...
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...
GHSA-HJ5C-MHH2-G7JQ Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.3.0 contained security vulnerabilities. These vulnerabilities were caused by a mistake in the SQL operator precedence of the hasAccessToLabel function, which could allow any authenticated...