Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-33680 — Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission …

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project,…

vikunja | Remote | Authorization
Mar 24, 2026 Mar 30, 2026
Mar 24, 2026
Mar 30, 2026
7.4 HIGH
CVE-2026-33679 — Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when …

vikunja | Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 30, 2026
Mar 24, 2026
Mar 30, 2026
8.1 HIGH
CVE-2026-33678 — Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL p…

vikunja | Remote | Authorization
Mar 24, 2026 Mar 30, 2026
Mar 24, 2026
Mar 30, 2026
6.5 MEDIUM
CVE-2026-33677 — Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` …

vikunja | Remote | Information Disclosure
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33676 — Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorizati…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all relat…

vikunja | Remote | Authorization
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
6.4 MEDIUM
CVE-2026-33675 — Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading In…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.g…

vikunja | Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
8.1 HIGH
CVE-2026-33668 — Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and …

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on …

vikunja | Remote | Authentication
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33474 — Vikunja Affected by DoS via Image Preview Generation

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attac…

vikunja | Remote | Denial of Service
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
5.7 MEDIUM
CVE-2026-33473 — Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 se…

vikunja | Remote | Authentication
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
8.8 HIGH
CVE-2026-33336 — Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main Brows…

vikunja | Remote | Misconfiguration
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
8.0 HIGH
CVE-2026-33335 — Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openE…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls dire…

vikunja | Remote | Misconfiguration
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
9.6 CRITICAL
CVE-2026-33334 — Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegrati…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer p…

vikunja | Remote | Cross-Site Scripting
Mar 24, 2026 Mar 27, 2026
Mar 24, 2026
Mar 27, 2026
5.4 MEDIUM
CVE-2026-29840 — JiZhiCMS Stored Cross-Site Scripting (XSS)

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filte…

jizhicms | Remote | Cross-Site Scripting
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.8 HIGH
CVE-2026-29839 — DedeCMS CSRF

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.

dedecms | Remote | Cross-Site Request Forgery
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
Showing 20 of 6354 Results