SUSE CVE-2026-33680

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

The LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never...

CVE-2026-33680

Vikunja before version 2.2.2 is affected: the LinkSharing.ReadAll() API lets link-share users list all shares for a project, exposing secret hashes. Although LinkSharing.CanRead() blocks reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(), ...

PT-2026-27453

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.2 Description Vikunja is a self-hosted task management platform. A flaw exists in the LinkSharing.ReadAll method where authenticated users with link share access can list all link shares for a project, including...