CVE-2026-35596

Exploit

EPSS 0.03%
Veröffentlicht 10.04.2026 15:59:43
Zuletzt bearbeitet 17.04.2026 22:00:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vikunja ≫ Vikunja Version < 2.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.075

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

Release Notes

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq

Vendor Advisory

Exploit

https://github.com/go-vikunja/vikunja/pull/2578

Issue Tracking

https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-35596

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35596

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35596

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35596