Denial of Service Vulnerability in Vikunja Task Management Platform
CVE-2026-35599

6.5MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35599?

Vikunja, an open-source task management platform, is susceptible to an exploit that can lead to Denial of Service. In versions prior to 2.3.0, the function addRepeatIntervalToTime employs an O(n) loop that repeatedly advances a date based on a defined interval. If an attacker creates a task with a very short repeat interval and an outdated due date, it can cause an immense number of loop iterations—potentially billions. This excessive processing can consume significant CPU resources and maintain a database connection for extended periods, leading to performance degradation or complete unavailability of the service. The vulnerability has been addressed in version 2.3.0.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2577
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.