code.vikunja.io/api vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-40103Mediumcode.vikunja.io/api: Vikunja: Scoped API tokens with projects.background permission can delete project backgroundsCVE-2026-35602Mediumcode.vikunja.io/api: Vikunja has File Size Limit Bypass via Vikunja ImportCVE-2026-35601Mediumcode.vikunja.io/api: Vikunja has iCalendar Property Injection via CRLF in CalDAV Task OutputCVE-2026-35600Mediumcode.vikunja.io/api: Vikunja has HTML Injection via Task Titles in Overdue Email NotificationsCVE-2026-35599Mediumcode.vikunja.io/api: Vikunja has Algorithmic Complexity DoS in Repeating Task HandlerCVE-2026-35598Mediumcode.vikunja.io/api: Vikunja Missing Authorization on CalDAV Task ReadCVE-2026-35597Mediumcode.vikunja.io/api: Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account LockoutCVE-2026-35596Mediumcode.vikunja.io/api: Vikunja has Broken Access Control on Label Read via SQL Operator Precedence BugCVE-2026-35595Highcode.vikunja.io/api: Vikunja vulnerable to Privilege Escalation via Project ReparentingCVE-2026-35594Mediumcode.vikunja.io/api: Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission…CVE-2026-34727Highcode.vikunja.io/api: Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login PathGHSA-2PV8-4C52-MF8JCriticalcode.vikunja.io/api: Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with…CVE-2026-33700Mediumcode.vikunja.io/api: Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link…CVE-2026-33680Highcode.vikunja.io/api: Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission EscalationCVE-2026-33679Mediumcode.vikunja.io/api: Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download CVE-2026-33678Highcode.vikunja.io/api: Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and DeletionCVE-2026-33677Mediumcode.vikunja.io/api: Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via APICVE-2026-33676Mediumcode.vikunja.io/api: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check…CVE-2026-33675Mediumcode.vikunja.io/api: Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal…CVE-2026-33668Highcode.vikunja.io/api: Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID…CVE-2026-33474Mediumcode.vikunja.io/api: Vikunja Affected by DoS via Image Preview GenerationCVE-2026-33473Mediumcode.vikunja.io/api: Vikunja has TOTP Reuse During Validity WindowCVE-2026-33316Highcode.vikunja.io/api: Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement CVE-2026-33315Mediumcode.vikunja.io/api: Vikunja has a 2FA Bypass via Caldav Basic AuthCVE-2026-33313Mediumcode.vikunja.io/api: Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

Stop the waste.
Protect your environment with Kodem.