CVE-2026-35596

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, description...

CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

Honeypot Protocol

Trusted monitoring, the standard defense in AI control, is vulnerable to adaptive attacks, collusion, and strategic attack selection. All of these exploit the fact that monitoring is passive: it observes model behavior but never probes whether the model would behave differently under different...

Insertion of Sensitive Information into Log File

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File which had masksecret applied. The DAG run logs UI exposes...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +20 more potentially affected by CVE-2025-66236 via apache-airflow-task-sdk (>=1.0.0 <=1.1.4)

apache-airflow-task-sdk PYPI version =1.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-66236 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-16032067...

apache-airflow (>=3.2.0b1 <=3.2.0b2), apache-airflow-core (>=3.2.0b1 <=3.2.0b2) +1 more potentially affected by CVE-2026-33858 via apache-airflow-task-sdk (>=1.2.0b1 <=1.2.0b2)

apache-airflow-task-sdk PYPI version =1.2.0b1, =3.2.0b1, =3.2.0b1, =10.13.0rc3, =10.16.0rc1 Source cves: CVE-2026-33858 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-16032066...

Deserialization of Untrusted Data

Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom API. A privileged DAG Author can execute code on the...

CVE-2026-35601

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

CVE-2026-35601

CVE-2026-35601 affects Vikunja prior to 2.3.0 where the CalDAV output generator concatenates iCalendar VTODO fields without RFC 5545 escaping. User-controlled task titles containing CRLF can break the SUMMARY boundary, enabling injection of arbitrary iCalendar properties such as ATTACH, VALARM, o...

CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

CVE-2026-35600

Vikunja prior to 2.3.0 is vulnerable to HTML Injection in overdue email notifications caused by embedding task titles directly in Markdown link syntax without escaping special characters. The task title is placed inside a Markdown link, which can break the link structure if it contains brackets, ...

CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

CVE-2026-35599

Summary: CVE-2026-35599 affects Vikunja prior to version 2.3.0, where addRepeatIntervalToTime uses an O(n) loop to advance a date by RepeatAfter until it passes now. When a repeating task uses a 1-second interval and an old due_date, this can trigger billions of iterations, causing high CPU usage...

CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far ...

CVE-2026-35598

Vikunja CalDAV Read vulnerability (CVE-2026-35598): CalDAV GetResource/GetResourcesByList fetch tasks by UID without enforcing authorization, allowing any authenticated CalDAV user who knows or guesses a task UID to read full task data from any project. Affects Vikunja before v2.3.0; fixed in v2....

CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

CVE-2026-35596 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, description...