CVE-2026-27575

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27575
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8 Vendor Advisory Exploit
https://vikunja.io/changelog/vikunja-v2.0.0-was-released Release Notes
Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
History

05 Mar 2026, 17:21

Type Values Removed Values Added
CPE cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
References () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8 - () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8 - Vendor Advisory, Exploit
References () https://vikunja.io/changelog/vikunja-v2.0.0-was-released - () https://vikunja.io/changelog/vikunja-v2.0.0-was-released - Release Notes
First Time Vikunja
Vikunja vikunja

27 Feb 2026, 14:06

Type Values Removed Values Added
Summary
  • (es) Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. Antes de la versión 2.0.0, la aplicación permite a los usuarios establecer contraseñas débiles (p. ej., 1234, password) sin aplicar requisitos de fortaleza mínima. Además, las sesiones activas permanecen válidas después de que un usuario cambia su contraseña. Un atacante que compromete una cuenta (mediante fuerza bruta o relleno de credenciales) puede mantener acceso persistente incluso después de que la víctima restablece su contraseña. La versión 2.0.0 contiene una corrección.

25 Feb 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-25 22:16

Updated : 2026-03-05 17:21

NVD link : CVE-2026-27575

Mitre link : CVE-2026-27575

CVE.ORG link : CVE-2026-27575

JSON object : View

Products Affected

vikunja

  • vikunja
CWE
CWE-521

Weak Password Requirements

CWE-613

Insufficient Session Expiration