CVE-2026-33679

Summary

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api

Severity

medium

EPSS

0.3% (p25)

Also known as

GHSA-g9xj-752q-xh63, GO-2026-4852

Published

2026-03-26

References

• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63
• https://nvd.nist.gov/vuln/detail/CVE-2026-33679
• https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf

Related advisories

• CVE-2026-34727 — high · Go/code.vikunja.io/api
• CVE-2026-35595 — medium · Go/code.vikunja.io/api
• CVE-2026-35601 — medium · Go/code.vikunja.io/api
• CVE-2026-40103 — medium · Go/code.vikunja.io/api
• CVE-2026-35602 — medium · Go/code.vikunja.io/api
• CVE-2026-35600 — medium · Go/code.vikunja.io/api
• CVE-2026-35599 — medium · Go/code.vikunja.io/api
• CVE-2026-35598 — medium · Go/code.vikunja.io/api

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity