CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

30 matches found

SUSE CVE•added 2026/03/28 12:24 a.m.•4 views

SUSE CVE-2026-33675

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trell...

6.4CVSS6AI score0.00053EPSS

Exploits1References3

OSV•added 2026/03/26 8:33 p.m.•1 views

GO-2026-4851 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causin...

6.4CVSS5.9AI score0.00053EPSS

Exploits1References4

RedhatCVE•added 2026/03/26 3:8 p.m.•0 views

CVE-2026-33675

6.4CVSS5.9AI score0.00053EPSS

Exploits1References1

OSV•added 2026/03/25 9:14 p.m.•2 views

GHSA-G66V-54V9-52PR Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

Summary The migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed...

6.4CVSS6AI score0.00053EPSS

Exploits1References5

Github Security Blog•added 2026/03/25 9:14 p.m.•3 views

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

6.4CVSS6AI score0.00053EPSS

Exploits1References5Affected Software1

GitLab Advisory Database•added 2026/03/25 12:0 a.m.•3 views

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

The migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly ...

6.4CVSS5.9AI score0.00053EPSS

Exploits1References6Affected Software1

NVD•added 2026/03/24 4:16 p.m.•1 views

CVE-2026-33675

6.4CVSS0.00053EPSS

Exploits1References3

Vulnrichment•added 2026/03/24 3:33 p.m.•2 views

CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

6.4CVSS5.9AI score0.00053EPSS

Exploits1References3

CVE•added 2026/03/24 3:33 p.m.•7 views

CVE-2026-33675

Vikunja prior to version 2.2.1 is affected by an SSRF in the migration path: the DownloadFile and DownloadFileWithHeaders helpers in pkg/modules/migration/helpers.go take file attachment URLs from Todoist/Trello migrations and are invoked with no SSRF protection. An attacker can force the Vikunja...

6.4CVSS5.9AI score0.00053EPSS

Exploits1References3Affected Software1

Cvelist•added 2026/03/24 3:33 p.m.•19 views

CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

6.4CVSS0.00053EPSS

Exploits1References3

OSV•added 2026/03/24 3:33 p.m.•2 views

CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

6.4CVSS6AI score0.00053EPSS

Exploits1References5

Positive Technologies•added 2026/03/24 12:0 a.m.•0 views

PT-2026-27446

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. Prior to version 2.2.1, the DownloadFile and DownloadFileWithHeaders functions within the pkg/modules/migration/helpers.go file do not have...

6.4CVSS5.8AI score0.00053EPSS

Exploits1References8

RedhatCVE•added 2025/12/11 12:3 a.m.•3 views

CVE-2025-63317

Todoist v8896 is vulnerable to Cross Site Scripting XSS in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment...

5.4CVSS6.1AI score0.00033EPSS

Exploits1References1

EUVD•added 2025/12/01 9:30 p.m.•2 views

EUVD-2025-200090

5.6AI score0.00033EPSS

Exploits1References2

NVD•added 2025/12/01 8:15 p.m.•1 views

CVE-2025-63317

5.4CVSS0.00033EPSS

Exploits1References1

OSV•added 2025/12/01 8:15 p.m.•2 views

CVE-2025-63317

5.4CVSS5.8AI score

Exploits0References1

Positive Technologies•added 2025/12/01 12:0 a.m.•2 views

PT-2025-48541

Name of the Vulnerable Software and Affected Versions Todoist version 8896 Description Todoist version 8896 has a Cross Site Scripting XSS issue in the /api/v1/uploads API endpoint. Uploaded SVG files lack sanitization, allowing embedded JavaScript to execute when a user opens the attachment from...

5.4CVSS6.3AI score0.00033EPSS

Exploits1References4

Vulnrichment•added 2025/12/01 12:0 a.m.•1 views

CVE-2025-63317

5.7AI score0.00033EPSS

Exploits1References1

Cvelist•added 2025/12/01 12:0 a.m.•4 views

CVE-2025-63317

0.00033EPSS

Exploits1References1

CNNVD•added 2025/12/01 12:0 a.m.•1 views

Todoist 安全漏洞

Todoist is a task management and to-do list application from Todoist, Inc. A security vulnerability exists in Todoist version v8896, which stems from a lack of cleanup of uploaded SVG files in /api/v1/uploads, which could lead to a cross-site scripting attack...

5.4CVSS6.1AI score0.00033EPSS

Exploits1References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by