{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-12T11:49:30.866","vulnerabilities":[{"cve":{"id":"CVE-2026-33678","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T16:16:35.270","lastModified":"2026-03-30T13:57:13.337","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue."},{"lang":"es","value":"Vikunja es una plataforma de gestión de tareas de código abierto y autoalojada. Antes de la versión 2.2.1, 'TaskAttachment.ReadOne()' consulta los adjuntos solo por ID ('WHERE id = ?'), ignorando el ID de la tarea de la ruta URL. La verificación de permisos en 'CanRead()' valida el acceso a la tarea especificada en la URL, pero 'ReadOne()' carga un adjunto diferente que puede pertenecer a una tarea en otro proyecto. Esto permite a cualquier usuario autenticado descargar o eliminar cualquier adjunto en el sistema proporcionando su propio ID de tarea accesible junto con un ID de adjunto objetivo. Los ID de los adjuntos son enteros secuenciales, lo que hace que la enumeración sea trivial. La versión 2.2.1 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.1","matchCriteriaId":"E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}],"references":[{"url":"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://vikunja.io/changelog/vikunja-v2.2.2-was-released","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}