0.0
CVE-2025-71275 - Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Inject…
This CVE was rejected due to being a duplicate of CVE-2024-45519.
5.7
CVE-2026-33473 - Vikunja has TOTP Reuse During Validity Window
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
6.5
CVE-2026-33336 - Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-gen…
6.4
CVE-2026-33335 - Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can …
6.5
CVE-2026-33334 - Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerabil…
8.1
CVE-2026-33316 - Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset withou…
6.9
CVE-2026-33315 - Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be pr…
5.3
CVE-2026-33313 - Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Ve…
7.8
CVE-2026-4775 - Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff…
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, poten…
8.7
CVE-2026-27651 - NGINX ngx_mail_auth_http_module vulnerability
When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait…