{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33675", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.930Z", "datePublished": "2026-03-24T15:33:05.868Z", "dateUpdated": "2026-03-24T18:15:30.530Z"}, "containers": {"cna": {"title": "Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}, {"name": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:33:05.868Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}], "source": {"advisory": "GHSA-g66v-54v9-52pr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:07:14.596795Z", "id": "CVE-2026-33675", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:15:30.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33675", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:07:14.596795Z"}}}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:14:52.898Z"}}], "cna": {"title": "Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources", "source": {"advisory": "GHSA-g66v-54v9-52pr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.2.1"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "name": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "tags": ["x_refsource_MISC"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:33:05.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33675", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:15:30.530Z", "dateReserved": "2026-03-23T16:34:59.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T15:33:05.868Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.1, las funciones auxiliares de migraci\u00f3n 'DownloadFile' y 'DownloadFileWithHeaders' en 'pkg/modules/migration/helpers.go' realizan solicitudes HTTP GET arbitrarias sin ninguna protecci\u00f3n SSRF. Cuando un usuario activa una migraci\u00f3n de Todoist o Trello, las URL de archivos adjuntos de la respuesta de la API de terceros se pasan directamente a estas funciones, permitiendo a un atacante forzar al servidor de Vikunja a obtener recursos de red internos y devolver la respuesta como un archivo adjunto de tarea descargable. La versi\u00f3n 2.2.1 corrige el problema."}], "id": "CVE-2026-33675", "lastModified": "2026-03-27T16:20:07.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T16:16:34.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-27T17:52:16.755631+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Vikunja\u202f2.2.1 or newer.", "If a patch cannot be applied immediately, restrict migration functionality to trusted administrators and validate URLs before fetching.", "Ensure network segmentation or firewall rules prevent the server from reaching internal resources that should not be accessed."], "summary": {"action": "Immediate Patch", "impact": "SSRF that allows internal network data exposure"}, "threat_synthesis": {"affected_systems": "The issue affects all Vikunja releases older than version\u202f2.2.1. After applying the patch shipped in Vikunja\u202f2.2.1, the migration functions no longer perform unsanitized external requests. The problem exists only within the Todoist or Trello migration workflow, so systems that have disabled or never used that feature are not exposed.", "description_and_impact": "Vikunja is an open\u2011source self\u2011hosted task\u2011management platform. The migration helper functions DownloadFile and DownloadFileWithHeaders allow the server to perform arbitrary HTTP GET requests without SSRF protection. A user initiating a migration from Todoist or Trello can supply file attachment URLs from the third\u2011party response that point to internal network resources. The server then fetches those resources and returns them as downloadable attachments, enabling data exposure of internal assets such as configuration files, internal services, or other sensitive resources. The flaw is not a remote code execution or privilege\u2011elevation issue; it solely permits unauthorized read access to internal data.", "risk_and_exploitability": "The CVSS base score is 6.4, placing the vulnerability in the medium\u2011to\u2011high range. The EPSS score is below 1\u202f%, indicating a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user or attacker to trigger a migration that includes a malicious file attachment URL; this can be achieved by compromising a third\u2011party account or by creating a migration request that includes a crafted URL if the system allows arbitrary URLs. No authentication bypass or elevated privileges are required beyond initiating the migration."}}}}, "created": "2026-03-25T11:47:10.862165+00:00", "updated": "2026-03-27T20:26:40.719261+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}