28667 matches found
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33676
Summary: Vikunja, an open-source self-hosted task manager, has a cross-project information disclosure in its API. Before 2.2.1, when returning tasks, the API fills the related_tasks field with full task objects for all related tasks without verifying the requester’s read permission on those proje...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CLSA-2026-1774347657 capstone: Fix of CVE-2025-68114
CVE-2025-68114: fix stack buffer underflow/overflow in SStreamconcat...
Malicious code in @wame/ngx-frf-utilities (npm)
Malicious package due to JS obfuscation, dynamic code execution, OS/DNS access, suspicious install script, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bfa63e93a0b5a6ead3de9d3680bb75a023c43b59c6db80e0072b6a239cb7d5da The package...
MAL-2026-2412 Malicious code in @wame/ngx-frf-utilities (npm)
Malicious package due to JS obfuscation, dynamic code execution, OS/DNS access, suspicious install script, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bfa63e93a0b5a6ead3de9d3680bb75a023c43b59c6db80e0072b6a239cb7d5da The package...
Malicious code in @wame/ngx-adfs (npm)
Malicious package due to hex obfuscation, dynamic module loading, process access, suspicious install script, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee67ae68f066d11c3e0625e260c588df3d43384ae91fe74292977ea5304684d9 The package...
MAL-2026-2411 Malicious code in @wame/ngx-adfs (npm)
Malicious package due to hex obfuscation, dynamic module loading, process access, suspicious install script, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee67ae68f066d11c3e0625e260c588df3d43384ae91fe74292977ea5304684d9 The package...
MAL-2026-2416 Malicious code in oc-ccp-module-client (npm)
Malware due to hex obfuscation, suspicious install script, dynamic module loading, OS command access, process object access, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2b4b9cee1369c441aa8d759bc04085a8e2b14786df20656a8c6bc249e6260...
PT-2026-27320
Name of the Vulnerable Software and Affected Versions ncmdump versions prior to 1.4.0 Description A NULL pointer dereference issue exists in taurusxin ncmdump within the src/utils modules, specifically related to the cJSON.Cpp program files. This can lead to unexpected behavior or program crashes...
PT-2026-27449
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. Before version 2.2.1, the API, when returning tasks, included complete task objects in the related tasks field without verifying if the user had...
PT-2026-27454
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. A flaw exists where the DELETE /api/v1/projects/:project/shares/:share endpoint does not confirm that the link share belongs to the project specifie...
This Week in Spring - March 24th, 2026
Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...
solidtime 安全漏洞
Solidtime is an open-source time tracking application developed by Solidtime developers. Versions of Solidtime prior to 0.11.6 contained security vulnerabilities. These vulnerabilities stemmed from the improper use of the visibleByEmployee function on the project details endpoint. As a result, an...
📄 ddev/ddev ZipSlip Path Traversal
A ZipSlip path traversal vulnerability exists in ddev/ddev, a popular open-source local development tool for PHP, Python, and Node.js projects. Both the Untar and Unzip functions in pkg/archive/archive.go use filepath.Joindest, file.Name without any path containment validation, allowing a crafted...
PT-2026-27352
Name of the Vulnerable Software and Affected Versions activitypub-federation-rust affected versions not specified Description The v4 is invalid function in activitypub-federation-rust does not properly validate IPv4 addresses, specifically failing to check for Ipv4Addr::UNSPECIFIED 0.0.0.0. This...