{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27575", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.449Z", "datePublished": "2026-02-25T21:35:23.230Z", "dateUpdated": "2026-02-26T20:39:18.888Z"}, "containers": {"cna": {"title": "Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change", "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "lang": "en", "description": "CWE-521: Weak Password Requirements", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8"}, {"name": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:35:23.230Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix."}], "source": {"advisory": "GHSA-3ccg-x393-96v8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T20:39:07.391895Z", "id": "CVE-2026-27575", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:39:18.888Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27575", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T20:39:07.391895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:39:13.432Z"}}], "cna": {"title": "Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change", "source": {"advisory": "GHSA-3ccg-x393-96v8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-521", "description": "CWE-521: Weak Password Requirements"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:35:23.230Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27575", "state": "PUBLISHED", "dateUpdated": "2026-02-26T20:39:18.888Z", "dateReserved": "2026-02-20T17:40:28.449Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T21:35:23.230Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "53D82FAD-8E42-40F8-A11D-1FE7EDB4620B", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.0.0, la aplicaci\u00f3n permite a los usuarios establecer contrase\u00f1as d\u00e9biles (p. ej., 1234, password) sin aplicar requisitos de fortaleza m\u00ednima. Adem\u00e1s, las sesiones activas permanecen v\u00e1lidas despu\u00e9s de que un usuario cambia su contrase\u00f1a. Un atacante que compromete una cuenta (mediante fuerza bruta o relleno de credenciales) puede mantener acceso persistente incluso despu\u00e9s de que la v\u00edctima restablece su contrase\u00f1a. La versi\u00f3n 2.0.0 contiene una correcci\u00f3n."}], "id": "CVE-2026-27575", "lastModified": "2026-03-05T17:21:37.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T22:16:26.383", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}, {"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-17T14:48:18.615220+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.0.0 or later, where the password strength enforcement and session invalidation are implemented.", "If an upgrade is temporarily unfeasible, enforce a stricter password policy manually by configuring the application (or an external authentication layer) to require a minimum length and character complexity.", "Implement session invalidation on password change by disabling persistent session cookies or configuring the app to log users out immediately after a password change, so that an attacker\u2019s existing session is terminated."], "summary": {"action": "Immediate Patch", "impact": "Persistent unauthorized access after password reset"}, "threat_synthesis": {"affected_systems": "This issue affects the open\u2011source self\u2011hosted task management platform Vikunja from the vendor go\u2011vikunja:vikunja, namely all releases older than version 2.0.0. Version 2.0.0 and later incorporate the fix that enforces stronger password requirements and invalidates sessions when the password is updated.", "description_and_impact": "The vulnerability arises from a weak password policy that allows easily guessable passwords such as 1234 or password, coupled with persistent sessions that remain logged in even after a user changes their password. An attacker who compromises an account through brute\u2011force or credential\u2011stuffing attacks can retain unauthorized access after the legitimate user resets their password, effectively bypassing the intended security boundary. Because the system does not enforce a minimum password strength, any user can fall into this scenario, making the impact a persistent unauthenticated or unauthorized session.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.1, indicating a high\u2011severity risk. The EPSS score is less than 1% at the time of analysis, implying a low but non\u2011zero probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring access to the web application\u2019s authentication endpoint; once a valid account is compromised, the attacker benefits from persistent sessions that survive password changes. Because the attacker\u2019s session does not expire, the vulnerability can be abused to maintain covert malicious presence, making it difficult to detect or mitigate without intervention."}}}}, "created": "2026-02-26T13:10:52.462960+00:00", "updated": "2026-04-17T15:00:11.014381+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}