{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T05:03:09.774","vulnerabilities":[{"cve":{"id":"CVE-2026-33679","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T16:16:35.420","lastModified":"2026-03-30T13:56:01.700","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue."},{"lang":"es","value":"Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. Antes de la versión 2.2.1, la función `DownloadImage` en `pkg/utils/avatar.go` utiliza un `http.Client{}` básico sin protección SSRF al descargar imágenes de avatar de usuario de la URL de la declaración 'picture' de OpenID Connect. Un atacante que controla la URL de la imagen de perfil de su OIDC puede forzar al servidor Vikunja a realizar solicitudes GET HTTP a puntos finales de metadatos internos o en la nube arbitrarios. Esto elude las protecciones SSRF que se aplican correctamente al sistema de webhooks. La versión 2.2.1 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":3.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.1","matchCriteriaId":"E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}],"references":[{"url":"https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://vikunja.io/changelog/vikunja-v2.2.2-was-released","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}