{
"Source": "CVE FEED",
"Title": "CVE-2026-4715 - Uninitialized memory in the Graphics: Canvas2D component",
"Content": "CVE ID :CVE-2026-4715
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4715 - Uninitialized memory in the Graphics: Canvas2D component",
"Content": "CVE ID :CVE-2026-4715
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-4717 - Privilege escalation in the Netmonitor component",
"Content": "CVE ID :CVE-2026-4717
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4717 - Privilege escalation in the Netmonitor component",
"Content": "CVE ID :CVE-2026-4717
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-4718 - Undefined behavior in the WebRTC: Signaling component",
"Content": "CVE ID :CVE-2026-4718
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4718 - Undefined behavior in the WebRTC: Signaling component",
"Content": "CVE ID :CVE-2026-4718
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-4719 - Incorrect boundary conditions in the Graphics: Text component",
"Content": "CVE ID :CVE-2026-4719
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4719 - Incorrect boundary conditions in the Graphics: Text component",
"Content": "CVE ID :CVE-2026-4719
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-4711 - Use-after-free in the Widget: Cocoa component",
"Content": "CVE ID :CVE-2026-4711
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4711 - Use-after-free in the Widget: Cocoa component",
"Content": "CVE ID :CVE-2026-4711
Published : March 24, 2026, 1:16 p.m. | 51 minutes ago
Description :Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33700 - Vikunja has a Link Share Delete IDOR โ Missing Project Ownership Check Allows Cross-Project Link Share Deletion",
"Content": "CVE ID :CVE-2026-33700
Published : March 24, 2026, 3:51 p.m. | 22 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33700 - Vikunja has a Link Share Delete IDOR โ Missing Project Ownership Check Allows Cross-Project Link Share Deletion",
"Content": "CVE ID :CVE-2026-33700
Published : March 24, 2026, 3:51 p.m. | 22 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33680 - Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation",
"Content": "CVE ID :CVE-2026-33680
Published : March 24, 2026, 3:47 p.m. | 26 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33680 - Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation",
"Content": "CVE ID :CVE-2026-33680
Published : March 24, 2026, 3:47 p.m. | 26 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33679 - Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections",
"Content": "CVE ID :CVE-2026-33679
Published : March 24, 2026, 3:46 p.m. | 28 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33679 - Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections",
"Content": "CVE ID :CVE-2026-33679
Published : March 24, 2026, 3:46 p.m. | 28 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33678 - Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion",
"Content": "CVE ID :CVE-2026-33678
Published : March 24, 2026, 3:44 p.m. | 30 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33678 - Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion",
"Content": "CVE ID :CVE-2026-33678
Published : March 24, 2026, 3:44 p.m. | 30 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33677 - Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API",
"Content": "CVE ID :CVE-2026-33677
Published : March 24, 2026, 3:36 p.m. | 37 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33677 - Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API",
"Content": "CVE ID :CVE-2026-33677
Published : March 24, 2026, 3:36 p.m. | 37 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33676 - Vikunja has Cross-Project Information Disclosure via Task Relations โ Missing Authorization Check on Related Task Read",
"Content": "CVE ID :CVE-2026-33676
Published : March 24, 2026, 3:35 p.m. | 38 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33676 - Vikunja has Cross-Project Information Disclosure via Task Relations โ Missing Authorization Check on Related Task Read",
"Content": "CVE ID :CVE-2026-33676
Published : March 24, 2026, 3:35 p.m. | 38 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33675 - Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources",
"Content": "CVE ID :CVE-2026-33675
Published : March 24, 2026, 3:33 p.m. | 41 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33675 - Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources",
"Content": "CVE ID :CVE-2026-33675
Published : March 24, 2026, 3:33 p.m. | 41 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33668 - Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect",
"Content": "CVE ID :CVE-2026-33668
Published : March 24, 2026, 3:30 p.m. | 44 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths โ API tokens, CalDAV basic auth, and OpenID Connect โ do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33668 - Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect",
"Content": "CVE ID :CVE-2026-33668
Published : March 24, 2026, 3:30 p.m. | 44 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths โ API tokens, CalDAV basic auth, and OpenID Connect โ do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33474 - Vikunja Affected by DoS via Image Preview Generation",
"Content": "CVE ID :CVE-2026-33474
Published : March 24, 2026, 3:21 p.m. | 53 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33474 - Vikunja Affected by DoS via Image Preview Generation",
"Content": "CVE ID :CVE-2026-33474
Published : March 24, 2026, 3:21 p.m. | 53 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-71275 - Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection",
"Content": "CVE ID :CVE-2025-71275
Published : March 24, 2026, 3:21 p.m. | 53 minutes ago
Description :A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-71275 - Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection",
"Content": "CVE ID :CVE-2025-71275
Published : March 24, 2026, 3:21 p.m. | 53 minutes ago
Description :A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 that allows unauthenticated attackers to execute arbitrary system commands via SMTP injection. The vulnerability is triggered through improper sanitization of the RCPT TO parameter, enabling command injection using shell expansion syntax (e.g., $(COMMAND)). Successful exploitation results in remote code execution under the Zimbra service context without requiring authentication.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33473 - Vikunja has TOTP Reuse During Validity Window",
"Content": "CVE ID :CVE-2026-33473
Published : March 24, 2026, 3:18 p.m. | 56 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33473 - Vikunja has TOTP Reuse During Validity Window",
"Content": "CVE ID :CVE-2026-33473
Published : March 24, 2026, 3:18 p.m. | 56 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-4775 - Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff file processing",
"Content": "CVE ID :CVE-2026-4775
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-4775 - Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff file processing",
"Content": "CVE ID :CVE-2026-4775
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33315 - Vikunja has a 2FA Bypass via Caldav Basic Auth",
"Content": "CVE ID :CVE-2026-33315
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33315 - Vikunja has a 2FA Bypass via Caldav Basic Auth",
"Content": "CVE ID :CVE-2026-33315
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33316 - Vikunjaโs Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement",
"Content": "CVE ID :CVE-2026-33316
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunjaโs password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the userโs status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33316 - Vikunjaโs Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement",
"Content": "CVE ID :CVE-2026-33316
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunjaโs password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the userโs status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33313 - Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments",
"Content": "CVE ID :CVE-2026-33313
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33313 - Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments",
"Content": "CVE ID :CVE-2026-33313
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2026-33554 - Dell FreeIPMI Buffer Overflow Vulnerability",
"Content": "CVE ID :CVE-2026-33554
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2026-33554 - Dell FreeIPMI Buffer Overflow Vulnerability",
"Content": "CVE ID :CVE-2026-33554
Published : March 24, 2026, 3:16 p.m. | 57 minutes ago
Description :ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น