Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-56765

CRITICAL NVD
CVSS Score 9.8
Severity CRITICAL
Published Jul 10, 2026
Vendor unknown

Description

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

References