Description
Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Patch
AI Analysis

Impact

Vikunja versions starting at 1.0.0-rc0 and continuing through 2.1.x decode images during preview generation without any limits on image size or resolution. Attackers can submit highly compressed images that appear small but contain extremely large dimensions, forcing the system to allocate excessive CPU and memory resources. This uncontrolled consumption can halt the service and make the application unavailable to all users, representing a classic denial‑of‑service attack.

Affected Systems

The affected software is the Vikunja self‑hosted task management platform. All releases from the initial 1.0.0‑rc0 up to, but not including, version 2.2.0 are vulnerable. Version 2.2.0 and any subsequent releases contain the patch that removes the unbounded decoding behavior.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score below 1% suggests the likelihood of exploitation is low at present. Since the vulnerability is not listed in CISA’s KEV catalog, there is no confirmed large‑scale exploitation. The typical attack vector is a remote HTTP request that triggers image preview processing—an attacker can upload or reference a malicious image through the web interface or API, leading the server to perform the expensive decoding and resizing operation. If successful, the attacker can exhaust system resources and bring the application, and potentially the hosting environment, offline.

Generated by OpenCVE AI on March 27, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable monitoring of CPU and memory utilization, and configure alerts for sudden spikes that may indicate an ongoing denial‑of‑service attempt

Generated by OpenCVE AI on March 27, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wc83-79hj-hpmq Vikunja Affected by DoS via Image Preview Generation
History

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.
Title Vikunja Affected by DoS via Image Preview Generation
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:52:23.050Z

Reserved: 2026-03-20T16:16:48.969Z

Link: CVE-2026-33474

cve-icon Vulnrichment

Updated: 2026-03-24T15:52:11.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:33.863

Modified: 2026-03-27T16:47:45.293

Link: CVE-2026-33474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:42Z

Weaknesses