{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T16:14:05.913","vulnerabilities":[{"cve":{"id":"CVE-2026-28268","sourceIdentifier":"security-advisories@github.com","published":"2026-02-27T21:16:18.233","lastModified":"2026-03-06T21:03:09.780","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."},{"lang":"es","value":"Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. En las versiones anteriores a la 2.1.0, existe una vulnerabilidad de lógica de negocio en el mecanismo de restablecimiento de contraseña de vikunja/API que permite que los tokens de restablecimiento de contraseña sean reutilizados indefinidamente. Debido a un fallo en la invalidación de tokens tras su uso y a un error de lógica crítico en el trabajo cron de limpieza de tokens, los tokens de restablecimiento permanecen válidos para siempre. Esto permite a un atacante que intercepta un único token de restablecimiento (a través de registros, historial del navegador o phishing) realizar una toma de control de cuenta completa y persistente en cualquier momento en el futuro, eludiendo los controles de autenticación estándar. La versión 2.1.0 contiene un parche para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-459"},{"lang":"en","value":"CWE-640"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-640"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*","versionEndExcluding":"2.1.0","matchCriteriaId":"5F4164A9-6656-425E-81AF-BC892E137C82"}]}]}],"references":[{"url":"https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://vikunja.io/changelog/vikunja-v2.1.0-was-released","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}