CVE-2026-33315 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-33315 PUBLISHED CVSS 6.900000095367432 MEDIUM

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.

EPSS 0.08% · 24.5th percentile

Risk Scores

CVSS v4.0

6.900000095367432

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS Score

0.08%

24.5th percentile

Affected Products

Vendor	Product	Versions
vikunja	vikunja	0, 0, 0
go-vikunja	vikunja	< 2.2.0, < 2.2.0, < 2.2.0
code.vikunja.io	api	0, 0, 0

Timeline

Mar 20, 2026 CVE Published
Mar 22, 2026 Security Advisory
Mar 25, 2026 CVE Updated
Mar 25, 2026 EPSS Score

References

Open in Interactive Console →