{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33675", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.930Z", "datePublished": "2026-03-24T15:33:05.868Z", "dateUpdated": "2026-03-24T18:15:30.530Z"}, "containers": {"cna": {"title": "Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}, {"name": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:33:05.868Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}], "source": {"advisory": "GHSA-g66v-54v9-52pr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:07:14.596795Z", "id": "CVE-2026-33675", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:15:30.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33675", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:07:14.596795Z"}}}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:14:52.898Z"}}], "cna": {"title": "Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources", "source": {"advisory": "GHSA-g66v-54v9-52pr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.2.1"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "name": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e", "tags": ["x_refsource_MISC"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:33:05.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33675", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:15:30.530Z", "dateReserved": "2026-03-23T16:34:59.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T15:33:05.868Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.1, las funciones auxiliares de migraci\u00f3n 'DownloadFile' y 'DownloadFileWithHeaders' en 'pkg/modules/migration/helpers.go' realizan solicitudes HTTP GET arbitrarias sin ninguna protecci\u00f3n SSRF. Cuando un usuario activa una migraci\u00f3n de Todoist o Trello, las URL de archivos adjuntos de la respuesta de la API de terceros se pasan directamente a estas funciones, permitiendo a un atacante forzar al servidor de Vikunja a obtener recursos de red internos y devolver la respuesta como un archivo adjunto de tarea descargable. La versi\u00f3n 2.2.1 corrige el problema."}], "id": "CVE-2026-33675", "lastModified": "2026-03-27T16:20:07.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T16:16:34.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-24T17:22:44.676634+00:00", "value": {"mitigation_remediation": ["Check the current Vikunja version on each host and confirm it is 2.2.1 or later.", "Apply the official update that patches the SSRF vulnerability.", "If an immediate upgrade is unavailable, restrict the Vikunja server\u2019s outbound HTTP traffic or configure network firewalls to block access to internal resources during migration operations.", "Monitor migration logs for unexpected internal URL accesses and review network traffic for signs of exploitation."], "summary": {"action": "Immediate Patch", "impact": "Internal Network Disclosure via SSRF"}, "threat_synthesis": {"affected_systems": "Deployments of Vikunja version 2.2.0 or earlier are affected, as the vulnerability resides in the DownloadFile and DownloadFileWithHeaders functions used during migration. Administrators should check the installed version on all servers and plan to upgrade to 2.2.1 or newer to eliminate the flaw.", "description_and_impact": "The flaw is a server\u2011side request forgery located in the migration helper of Vikunja. When a user starts a Todoist or Trello migration, the helper accepts file attachment URLs from the third\u2011party API without validation and passes them to functions that perform arbitrary HTTP GET requests. This gives an attacker the ability to force the Vikunja server to retrieve any internal network resource and return the response as a downloadable file. The weakness is classified as CWE\u2011918 and primarily exposes confidential internal data.", "risk_and_exploitability": "The CVSS base score of 6.4 signals a medium severity issue. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation. An attacker would need to trigger or influence a migration request, but once that occurs the SSRF path is straightforward to exploit, particularly in environments where the server can reach private network segments."}}}}, "created": "2026-03-25T11:47:10.862165+00:00", "updated": "2026-03-25T20:49:55.438003+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}