Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the improper enforcement of access controls in the ReadAll and GetTaskAttachment processes. An attacker can gain unauthorized access to and delete file attachments across all...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the DownloadImage function when processing user avatar URLs from OpenID Connect authentication. An attacker can cause the server to make arbitrary HTTP requests to internal or cloud metadata endpoint...

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack via the TOTP authentication process. An attacker can bypass authentication controls by reusing a valid TOTP code within its validity window. Remediation Upgrade github.com/go-vikunja/vikunja/pkg/user to version 2.2.1 or...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the RemoveProjectBackground process. An attacker can permanently delete background images by sending a DELETE request to the relevant API endpoint with only read-level permissions. Remediation Upgrade...

GO-2026-4551 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api...