{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.969Z", "datePublished": "2026-03-24T15:21:19.628Z", "dateUpdated": "2026-03-24T15:52:23.050Z"}, "containers": {"cna": {"title": "Vikunja Affected by DoS via Image Preview Generation", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": ">= 1.0.0-rc0, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:21:19.628Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue."}], "source": {"advisory": "GHSA-wc83-79hj-hpmq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:51:39.283492Z", "id": "CVE-2026-33474", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:52:23.050Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33474", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:51:39.283492Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:52:11.440Z"}}], "cna": {"title": "Vikunja Affected by DoS via Image Preview Generation", "source": {"advisory": "GHSA-wc83-79hj-hpmq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": ">= 1.0.0-rc0, < 2.2.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:21:19.628Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33474", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:52:23.050Z", "dateReserved": "2026-03-20T16:16:48.969Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T15:21:19.628Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "E116DBC4-C051-4E5D-9ADD-537A7132C725", "versionEndExcluding": "2.2.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. A partir de la versi\u00f3n 1.0.0-rc0 y anterior a la versi\u00f3n 2.2.0, la decodificaci\u00f3n y el redimensionamiento ilimitados de im\u00e1genes durante la generaci\u00f3n de previsualizaciones permiten a un atacante agotar la CPU y la memoria con im\u00e1genes altamente comprimidas pero de dimensiones extremadamente grandes. La versi\u00f3n 2.2.0 corrige el problema."}], "id": "CVE-2026-33474", "lastModified": "2026-03-27T16:47:45.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T16:16:33.863", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0-rc0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-27T18:25:03.130482+00:00", "value": {"mitigation_remediation": ["Enable monitoring of CPU and memory utilization, and configure alerts for sudden spikes that may indicate an ongoing denial\u2011of\u2011service attempt"], "summary": {"action": "Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "The affected software is the Vikunja self\u2011hosted task management platform. All releases from the initial 1.0.0\u2011rc0 up to, but not including, version 2.2.0 are vulnerable. Version 2.2.0 and any subsequent releases contain the patch that removes the unbounded decoding behavior.", "description_and_impact": "Vikunja versions starting at 1.0.0-rc0 and continuing through 2.1.x decode images during preview generation without any limits on image size or resolution. Attackers can submit highly compressed images that appear small but contain extremely large dimensions, forcing the system to allocate excessive CPU and memory resources. This uncontrolled consumption can halt the service and make the application unavailable to all users, representing a classic denial\u2011of\u2011service attack.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score below 1% suggests the likelihood of exploitation is low at present. Since the vulnerability is not listed in CISA\u2019s KEV catalog, there is no confirmed large\u2011scale exploitation. The typical attack vector is a remote HTTP request that triggers image preview processing\u2014an attacker can upload or reference a malicious image through the web interface or API, leading the server to perform the expensive decoding and resizing operation. If successful, the attacker can exhaust system resources and bring the application, and potentially the hosting environment, offline."}}}}, "created": "2026-03-25T11:47:12.759111+00:00", "updated": "2026-03-27T20:26:42.785117+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}