17 matches found
SUSE CVE-2026-33677
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
CVE-2026-33677
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Summary The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later...
EUVD-2026-14920
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API...
GHSA-7C2G-P23P-4JG3 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Summary The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later...
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration we...
CVE-2026-33677
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
CVE-2026-33677
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...
CVE-2026-33677
Vikunja (self-hosted task management) prior to version 2.2.1 exposes webhook BasicAuth credentials (basic_auth_user, basic_auth_password) via GET /api/v1/projects/:project/webhooks to any user with read access. The code already masks the HMAC secret, but the BasicAuth fields were not masked after...
PT-2026-27450
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. The GET /api/v1/projects/:project/webhooks API endpoint exposes BasicAuth credentials basic auth user and basic auth password in plaintext to users...
CVE-2026-30845
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
CVE-2026-30845
Wekan (versions 8.31.0–8.33) exposes webhook credentials via the board composite publication because it does not filter fields, allowing any subscriber (including unauthenticated DDP clients for public boards) to access sensitive data. This enables unauthenticated requests to external webhooks an...
CVE-2026-30845
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
WeKan 安全漏洞
WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan from 8.31.0 to 8.33 contain security vulnerabilities. These vulnerabilities stem from the lack of field filtering during integrated data publishing, which may lead to the exposure of Webhook credentials...