CVE-2026-35594

CVE-2026-35594 affects Vikunja prior to version 2.3.0, where link-share JWTs were validated entirely from JWT claims without server-side checks. The GetLinkShareFromClaims path builds a LinkSharing object without database validation, allowing previously issued link-share JWTs to retain their orig...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of server-side validation in the GetLinkShareFromClaims process. An attacker can retain unauthorized access to resources by using previously issued JWT tokens even after a link share is...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of server-side validation in the GetLinkShareFromClaims process. An attacker can retain unauthorized access to resources by using previously issued JWT tokens even after a link share is...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of server-side validation in the GetLinkShareFromClaims process. An attacker can retain unauthorized access to resources by using previously issued JWT tokens even after a link share is...

EUVD-2026-21417

Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade...

Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...

GHSA-96Q5-XM3P-7M84 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...

Host Header Injection

github.com/zitadel/zitadel is vulnerable to Host Header Injection. The vulnerability is due to improper validation of the Forwarded or X-Forwarded-Host headers when generating password reset links, which allows an attacker to manipulate the link to a malicious domain and capture the reset code,...

CVE-2026-40217

creationtimestamp| type| source ---|---|--- 2026-04-10 15:17:37+00:00| seen| Telegram/BHjpIBo0iRlJvCTjCc1tWATK3ONpTPYFFDHwGYF-bIOT41U 2026-04-10 15:37:09+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj5nnyqjgd2j 2026-04-11 10:00:21+00:00| seen|...

CVE-2026-0737

creationtimestamp| type| source ---|---|--- 2026-04-10 14:30:07+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mj5jw4mexm2o...

CVE-2026-6038

creationtimestamp| type| source ---|---|--- 2026-04-10 11:02:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj56cvmzdz2q 2026-04-10 11:16:18+00:00| published-proof-of-concept| Telegram/khgEEPiWkGL9WACMPfvZ8dGv1ooPTaC6hfehoeURB75s6dQ...

CVE-2026-6036

creationtimestamp| type| source ---|---|--- 2026-04-10 10:52:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj55qyb6sb23 2026-04-10 11:16:18+00:00| published-proof-of-concept| Telegram/khgEEPiWkGL9WACMPfvZ8dGv1ooPTaC6hfehoeURB75s6dQ...

CVE-2026-6034

creationtimestamp| type| source ---|---|--- 2026-04-10 10:47:29+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj55hzsmqy27...

CVE-2026-6035

creationtimestamp| type| source ---|---|--- 2026-04-10 10:33:11+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj54ohahsu23...

CVE-2026-33455

creationtimestamp| type| source ---|---|--- 2026-04-10 10:11:20+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj53hfik7l2s...

CVE-2026-5525

creationtimestamp| type| source ---|---|--- 2026-04-10 10:06:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj535ug5a42j...

CVE-2026-40259

creationtimestamp| type| source ---|---|--- 2026-04-10 09:32:21+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg 2026-04-17 00:56:20+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjnppgbvvx2d 2026-04-17 01:16:10+00:00...

EUVD-2026-21316

Emocheck insecurely loads Dynamic Link Libraries DLLs. If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck...

CVE-2026-5900

A policy bypass flaw was found in the Downloads component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=475265304...

CVE-2026-6006

creationtimestamp| type| source ---|---|--- 2026-04-10 06:31:50+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj4p6vauzx25...