Security Advisories for code.vikunja.io/api in go
Moderate
20 days ago
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
go
code.vikunja.io/api
High
20 days ago
Vikunja vulnerable to Privilege Escalation via Project Reparenting
go
code.vikunja.io/api
Moderate
20 days ago
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
go
code.vikunja.io/api
High
20 days ago
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
go
code.vikunja.io/api
Critical
about 1 month ago
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
go
code.vikunja.io/api
High
about 1 month ago
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
go
code.vikunja.io/api
High
about 1 month ago
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
go
code.vikunja.io/api
High
about 1 month ago
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja Affected by DoS via Image Preview Generation
go
code.vikunja.io/api
High
about 1 month ago
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja read-only users can delete project background images via broken object-level authorization
go
code.vikunja.io/api
Moderate
about 1 month ago
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
go
code.vikunja.io/api
Critical
2 months ago
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
go
code.vikunja.io/api
High
2 months ago
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure
go
code.vikunja.io/api
Critical
2 months ago
Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
go
code.vikunja.io/api
Moderate
2 months ago
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
go
code.vikunja.io/api