CVE-2026-27575
CRITICAL
GHSA-3ccg-x393-96v8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
Analysis
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Vikunja deployments and document affected versions; disable or restrict Vikunja access if operationally feasible, or implement compensating controls listed below. Within 7 days: Implement network segmentation to limit Vikunja exposure; enforce multi-factor authentication (MFA) for all Vikunja user accounts; monitor authentication logs for suspicious activity. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today