GO-2026-4480: Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api

  GO-2026-4551: Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api

  GO-2026-4552: Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api

  GO-2026-4553: Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

  GO-2026-4556: Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

  GO-2026-4575: Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

  GO-2026-4791: Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

  GO-2026-4794: Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

  GO-2026-4795: Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api

  GO-2026-4797: Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

  GO-2026-4798: Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

  GO-2026-4805: Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api

  GO-2026-4811: Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api