GHSA-2pv8-4c52-mf8j

Summary

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

Severity

medium

Also known as

GO-2026-4855

Published

2026-03-26

References

• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j
• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2

Related advisories

• CVE-2026-34727 — high · Go/code.vikunja.io/api
• CVE-2026-35595 — medium · Go/code.vikunja.io/api
• CVE-2026-35601 — medium · Go/code.vikunja.io/api
• CVE-2026-40103 — medium · Go/code.vikunja.io/api
• CVE-2026-35602 — medium · Go/code.vikunja.io/api
• CVE-2026-35600 — medium · Go/code.vikunja.io/api
• CVE-2026-35599 — medium · Go/code.vikunja.io/api
• CVE-2026-35598 — medium · Go/code.vikunja.io/api

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity