QwikSec

Security Database

CVE

CWE

Training

CVE-2026-33313

Published: Mar 24, 2026

Modified: Mar 24, 2026

PUBLISHED

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

Vendor	Product	Versions
go-vikunja	vikunja	affected `< 2.2.0`

Weaknesses (CWE)

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4

x_refsource_CONFIRM

https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd

x_refsource_MISC

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.