5879 matches found
EUVD-2026-14903
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...
CVE-2026-33678
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678
Vikunja prior to 2.2.1 suffers an IDOR: TaskAttachment.ReadOne() queries by attachment ID only and ignores the URL task_id, allowing any authenticated user to access or delete attachments across projects by supplying their own task_id. The read path validates the URL task, but ReadOne() loads the...
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33676
Summary: Vikunja, an open-source self-hosted task manager, has a cross-project information disclosure in its API. Before 2.2.1, when returning tasks, the API fills the related_tasks field with full task objects for all related tasks without verifying the requester’s read permission on those proje...
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33313
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
CVE-2026-33313
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
CVE-2026-33313
CVE-2026-33313 / GHSA-MR3J-P26X-72X4 – Vikunja IDOR in Task Comments : An authenticated user who can read a task can read any comment by ID by substituting a task ID in the API URL (GET /api/v1/tasks/{taskID}/comments/{commentID}). Root cause: the system constructs a Task from the URL taskID and ...
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
WordPress Task Manager plugin <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter vulnerability
Authenticated Subscriber+ Arbitrary Shortcode Execution via 'taskid' Parameter vulnerability discovered by theviper17y in WordPress Plugin Task Manager versions = 3.0.2...
EUVD-2026-14588
OpenClaw before 2026.2.19 contains a local command injection vulnerability in Windows scheduled task script generation that allows attackers to execute arbitrary commands by injecting cmd metacharacters into unsafe gateway.cmd arguments. Attackers with control over service script generation value...
EUVD-2026-14553
OpenClaw versions prior to 2026.2.18 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written unquoted to gateway.cmd, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands...