CVE-2026-33312

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

CVE-2026-33312

Vikunja open‑source self-hosted task management platform. Affected: versions 0.20.2 through 2.1.x (prior to 2.2.0). Issue: the DELETE /api/v1/projects/:project/background endpoint checks CanRead instead of CanUpdate, allowing any user with read‑only access to a project to permanently delete its b...

CVE-2026-4454

An use after free flaw was found in the Network component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=488585488...

CVE-2026-33191

CVE-2026-33191 affects Free5GC UDM (Nudm_SubscriberDataManagement API) where null byte injections in the supi URL path parameter (URL-encoded %00) trigger Go’s net/url parsing error, leading to a 500 Internal Server Error and enabling denial-of-service conditions. Multiple sources confirm the iss...

CVE-2026-32769

Fullchain (github.com/ctfer-io/fullchain) is affected prior to version 0.1.1 due to a mis-written inter-namespace NetworkPolicy that allows a subverted application to pivot to pods outside the origin namespace, enabling lateral movement. The issue has been fixed in version 0.1.1. Workaround: dele...

PT-2026-26622

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

CVE-2026-29828

DooTask v1.6.27 has a Cross-Site Scripting XSS vulnerability in the /manage/project/ page via the input field projectDesc...

PT-2026-26751

Name of the Vulnerable Software and Affected Versions Vikunja affected versions not specified Description An authenticated user can access task comments without proper authorization checks. Specifically, an attacker can read any task comment by ID, even if they do not have access to the associate...

DooTask 安全漏洞

DooTask is a task management tool developed by Kuaifan’s individual developers. Version 1.6.27 of DooTask contains a security vulnerability. This vulnerability stems from improper handling of the projectDesc input field in the /manage/project/ page, which may lead to cross-site scripting attacks...

PT-2026-26643

CVE-2026-29828 DooTask v1.6.27 has a Cross-Site Scripting XSS vulnerability in the /manage/project/id page via the input field projectDesc. https://t.co/IdJyEMWfTe...

Vikunja has a 2FA Bypass via Caldav Basic Auth

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...

Vikunja read-only users can delete project background images via broken object-level authorization

The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image...

CVE-2026-29828

DooTask v1.6.27 has a Cross-Site Scripting XSS vulnerability in the /manage/project/ page via the input field projectDesc...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja from 0.20.2 to 2.2.0 contained security vulnerabilities. The vulnerability stemmed from a typo in the endpoint DELETE /api/v1/projects/:project/background; the permission being checked was CanRead...

nrf 访问控制错误漏洞

nrf is a network storage library module open-sourced by free5GC. Versions prior to nrf 1.4.2 contained an access control vulnerability, which stemmed from improper input validation in the EncodeGroupId function. This vulnerability could lead to denial of service attacks...

PT-2026-26752

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...

CVE-2026-29828

DooTask v1.6.27 has a Cross-Site Scripting XSS vulnerability in the /manage/project/ page via the input field projectDesc...

CVE-2026-29828

CVE-2026-29828 affects DooTask v1.6.27 with a Cross-Site Scripting (XSS) vulnerability on the /manage/project/ page via the projectDesc input. The root cause and vulnerable component are described across multiple sources as an XSS in the manage/project interface; no explicit exploit details or re...

CVE-2026-30872 OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the matchipv6addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains .ip6.arpa receiv...