CVE-2026-33313

Sažetak

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

Reference

https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4
https://vikunja.io/changelog/vikunja-v2.2.0-was-released

CVSS

Base:	4.3
Impact:	1.4
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

24-03-2026 - 19:21

Objavljeno

24-03-2026 - 15:16