VDB

CISA-2026-33313

CISA-2026-33313 PUBLISHED CVSS 5.3 MEDIUM

Reported by GitHub_M · Published March 24, 2026

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

Risk Scores

CVSS 4.0
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
go-vikunjavikunja< 2.2.0
go-vikunjavikunja< 2.2.0, < 2.2.0

Timeline

  • Mar 24, 2026 CVE Published
  • Mar 24, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›