GO-2026-4850 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the DELETE /api/v1/projects/:project/shares/:share endpoint, which did not validate the project to which link sharing belonge...

Vikunja 代码问题漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.1 had code vulnerabilities. These vulnerabilities stemmed from a lack of SSRF protection in the DownloadImage function, which could lead to server-side request forgeing attacks...

LF Edge eKuiper SQL注入漏洞

LF Edge eKuiper is an edge lightweight IoT data analytics software from LF Edge open source. A SQL injection vulnerability exists in LF Edge eKuiper versions prior to 2.2.1, which stems from a SQL injection vulnerability in the getLast API function that could lead to the execution of arbitrary SQ...

VulnCheck KEV: CVE-2023-1177

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1...

PT-2023-9130 · Qumagie · Qumagie

Name of the Vulnerable Software and Affected Versions: QuMagie versions prior to 2.2.1 Description: A SQL injection issue has been reported, potentially allowing authenticated users to inject malicious code via a network. This could be exploited by a remote attacker to execute arbitrary code. The...

Iris 跨站脚本漏洞

Iris is a fast, simple, yet full-featured and very efficient Go web framework. A security vulnerability exists in Iris versions prior to 2.2.1, which stems from the presence of a stored cross-site scripting XSS vulnerability that allows an attacker to inject malicious script into an application,...