VDB
CVE-2026-33313
CVE-2026-33313
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
EPSS 0.01% · 2.2th percentile
Risk Scores
CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.01%
2.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| go-vikunja | vikunja | *, < 2.2.0, * |
| code.vikunja.io | api | 0, 0, 0 |
| vikunja | vikunja | 0, 0, 0 |
Exploit Intelligence
Timeline
- Mar 20, 2026 CVE Published
- Mar 22, 2026 Security Advisory
- Mar 25, 2026 CVE Updated
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4 url
- https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd url
- https://vikunja.io/changelog/vikunja-v2.2.0-was-released url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33313 advisory
- https://github.com/go-vikunja/vikunja package