File Size Bypass Vulnerability in Vikunja Task Management Platform
CVE-2026-35602

5.4MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35602?

Vikunja, a self-hosted task management platform, contains a vulnerability that allows attackers to bypass file size restrictions. This occurs when the JSON metadata in a zip import package uses an attacker-controlled Size field, which can be spoofed to 0. As a result, it circumvents the enforcement of configured maximum file size limits, potentially allowing the uploading of excessively large files. The issue has been addressed in version 2.3.0 with the implementation of improved file size validation measures.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2575
x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.