CVE-2026-35602

Published: Apr 10, 2026

Modified: Apr 14, 2026

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.

Vendor	Product	Versions
go-vikunja	vikunja	affected `< 2.3.0`

Weaknesses (CWE)

CWE-770

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54

x_refsource_CONFIRM

https://github.com/go-vikunja/vikunja/pull/2575

x_refsource_MISC

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-35602

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References