{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T16:14:37.809","vulnerabilities":[{"cve":{"id":"CVE-2026-33473","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T16:16:33.710","lastModified":"2026-03-27T16:53:32.720","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue."},{"lang":"es","value":"Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. A partir de la versión 0.13 y antes de la versión 2.2.1, cualquier usuario que haya habilitado 2FA puede ver su TOTP reutilizado durante la ventana de validez estándar de 30 segundos. La versión 2.2.1 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*","versionStartIncluding":"0.13","versionEndExcluding":"2.2.1","matchCriteriaId":"A9EDB458-A25F-4E79-A8D5-340826D95EB6"}]}]}],"references":[{"url":"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://vikunja.io/changelog/vikunja-v2.2.0-was-released","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://vikunja.io/changelog/vikunja-v2.2.2-was-released","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}