58 matches found
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication GetLinkShareFromClaims in pkg/models/linksharing.go constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner delet...
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...
EUVD-2026-21417
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade...
Vikunja 代码问题漏洞
Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.3.0 had code vulnerabilities. These vulnerabilities stemmed from the fact that link-sharing authentication was entirely based on JWT claims, without server-side database validation. As a result, delet...
SUSE CVE-2026-33680
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
CVE-2026-33680
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
GHSA-F95F-77JX-FCJC Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Summary The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target...
EUVD-2026-14925
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation...
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Summary The LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by...
GHSA-8HP8-9FHR-PFM9 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Summary The LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by...
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
The LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never...
CVE-2026-33680
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
CVE-2026-33680
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
CVE-2026-33680
Vikunja before version 2.2.2 is affected: the LinkSharing.ReadAll() API lets link-share users list all shares for a project, exposing secret hashes. Although LinkSharing.CanRead() blocks reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(), ...
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...
Vikunja 授权问题漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.2 had a vulnerability related to authorization. This vulnerability stemmed from the LinkSharing.ReadAll method, which allowed the listing of all shared links, potentially leading to an...
PT-2025-49098
A stored cross-site scripting XSS vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the lin...
EUVD-2013-2984
Malware in sbrugna...