CVE-2026-33473

{"id": "CVE-2026-33473", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2026-03-24T16:16:33.710", "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. A partir de la versi\u00f3n 0.13 y antes de la versi\u00f3n 2.2.1, cualquier usuario que haya habilitado 2FA puede ver su TOTP reutilizado durante la ventana de validez est\u00e1ndar de 30 segundos. La versi\u00f3n 2.2.1 corrige el problema."}], "lastModified": "2026-03-27T16:53:32.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9EDB458-A25F-4E79-A8D5-340826D95EB6", "versionEndExcluding": "2.2.1", "versionStartIncluding": "0.13"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}