EUVD-2026-14916
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
4Tags
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Analysis
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today