Vulnerability Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vikunja | Vikunja | < 2.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/go-vikunja/vikunja/pull/2575Issue Tracking
- https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0Release Notes
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54ExploitVendor Advisory
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54ExploitVendor Advisory
FAQ
What is CVE-2026-35602?
CVE-2026-35602 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip in...
How severe is CVE-2026-35602?
CVE-2026-35602 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35602?
Check the references section above for vendor advisories and patch information. Affected products include: Vikunja Vikunja.