6.5

CVE-2026-35599

Exploit

Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VikunjaVikunja Version < 2.3.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.35% 0.264
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
Release Notes
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7
Vendor Advisory
Exploit
https://github.com/go-vikunja/vikunja/pull/2577
Issue Tracking
https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b
Patch