CVE-2026-35602 MEDIUM

CVE-2026-35602: Vikunja has a File Size Limit Bypass via Vikunja Import

Vendor Go-Vikunja
Product vikunja
Weakness CWE-770 · Uncontrolled resource consumption
Published April 10, 2026
Last update April 14, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 14, 2026 Record updated