157 matches found
PT-2026-42364
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabilit...
CVE-2026-35598
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...
CVE-2026-35601
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...
CVE-2026-35598
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...
CVE-2026-35598
Vikunja CalDAV Read vulnerability (CVE-2026-35598): CalDAV GetResource/GetResourcesByList fetch tasks by UID without enforcing authorization, allowing any authenticated CalDAV user who knows or guesses a task UID to read full task data from any project. Affects Vikunja before v2.3.0; fixed in v2....
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection via improper handling of user-supplied input in the ParseTodos function. An attacker can inject arbitrary iCalendar properties by including CRLF characters in task titles or other fields, which are then concatenated into...
GHSA-2G7H-7RQR-9P4R Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...
Vikunja Missing Authorization on CalDAV Task Read
Summary The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the...
GHSA-48CH-P4GQ-X46X Vikunja Missing Authorization on CalDAV Task Read
Summary The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the GetResource and GetResourcesByList processes. An attacker can access sensitive task data from projects they do not have permission to view by making authenticated CalDAV requests with a known or guessed task...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.3.0 contained security vulnerabilities. These vulnerabilities stemmed from the CalDAV method, which did not verify the user’s access rights to task items when retrieving tasks by UID. This could allow...
PT-2026-31949
Summary The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the...
SUSE CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
SUSE CVE-2026-33668
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths - API tokens, CalDAV...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...
GHSA-94XM-JJ8X-3CR4 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the authentication process. An attacker can maintain unauthorized access to resources by using valid API tokens, CalDAV credentials, or OpenID Connect authentication even after the account has been disabled or...