Back to search
CVE-2026-33700
Published: Mar 24, 2026
Modified: Mar 24, 2026
PUBLISHED
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.
| Vendor | Product | Versions |
|---|---|---|
go-vikunja | vikunja | affected < 2.2.1 |
Weaknesses (CWE)
References
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now