{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35599", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.162Z", "datePublished": "2026-04-10T16:05:57.581Z", "dateUpdated": "2026-04-10T18:28:29.310Z"}, "containers": {"cna": {"title": "Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2577", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2577"}, {"name": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b"}, {"name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:05:57.581Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-r4fg-73rc-hhh7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:27:47.907031Z", "id": "CVE-2026-35599", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:28:29.310Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35599", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:27:47.907031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:28:17.872Z"}}], "cna": {"title": "Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler", "source": {"advisory": "GHSA-r4fg-73rc-hhh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2577", "name": "https://github.com/go-vikunja/vikunja/pull/2577", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b", "name": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407: Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:05:57.581Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35599", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:28:29.310Z", "dateReserved": "2026-04-03T21:25:12.162Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T16:05:57.581Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-35599", "lastModified": "2026-04-17T21:57:24.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T17:17:03.520", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2577"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-10T17:21:55.341140+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.3.0 or later immediately. ", "If a rapid upgrade is not possible, restrict the creation of repeating tasks to trusted administrators and avoid 1\u2011second intervals. ", "Monitor CPU and database connection usage for unusual spikes. ", "Apply any vendor\u2011issued temporary throttle or rate\u2011limit rules if available. "], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via excessive CPU usage"}, "threat_synthesis": {"affected_systems": "Any deployment of the open\u2011source Vikunja task management platform running a version earlier than 2.3.0 is vulnerable. The affected component is the addRepeatIntervalToTime function in the repeating\u2011task handler.", "description_and_impact": "The vulnerability resides in Vikunja\u2019s algorithm for assigning repeat intervals to tasks. An O(n) loop processes each second until a due date is reached, and when a repeating task is set with a 1\u2011second interval and a start date far in the past, the loop can iterate billions of times. Each iteration consumes CPU cycles and holds a database connection for minutes, effectively saturating the server and causing service interruption. The weakness is identified as a classic algorithmic complexity issue (CWE\u2011407).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. Exploitation does not require elevated privileges or a privileged environment; the likely attack vector is the public\u2011facing API or any interface that accepts user\u2011supplied repeating\u2011task data. Attackers can trigger the DoS by submitting a single malicious task, leading to high CPU load and database lock\u2011up. No evidence suggests it is in the CISA KEV catalog nor is the EPSS score available, but the impact on availability and the ability to exercise the flaw remotely make it a significant risk for users unable to apply the fix promptly."}}}}, "created": "2026-04-13T12:44:01.670643+00:00", "updated": "2026-04-13T13:00:29.786003+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}