Vikunja
CVE-2026-27575
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
AnalysisAI
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Technical ContextAI
CWE-521 weak password requirements. The application accepts short or trivial passwords without complexity requirements.
RemediationAI
Update to Vikunja 2.0.0. Implement minimum password length and complexity requirements.
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authenticati
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to va
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potent
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment acr
Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor auth
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication,
The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open
Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScr
Same weakness CWE-521 – Weak Password Requirements
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3ccg-x393-96v8