GHSA-FGFV-PV97-6CMJ Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited...