CVE-2026-33473

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33473

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33473.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33473

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-24T15:18:14.481Z

Modified

2026-04-10T05:42:47.724505Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Vikunja has TOTP Reuse During Validity Window

Details

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33473.json"
}

References

Affected packages

Git / github.com/go-vikunja/vikunja

Affected ranges

Type

GIT

Repo

https://github.com/go-vikunja/vikunja

Events

Introduced

91a3b7aba2f0b99a1e8131ff5f7bf88d535c1cf5

Fixed

6d5d3e051f4f9f6d72f5d1d552c2d90910fccb28

Database specific

{
    "versions": [
        {
            "introduced": "0.13"
        },
        {
            "fixed": "2.2.1"
        }
    ]
}

Affected versions

v0.*

v0.13

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.20.0

v0.20.1

v0.20.3

v0.20.4

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.24.1

v1.*

v1.0.0

v1.0.0-rc0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.1.0

v2.*

v2.0.0

v2.1.0

v2.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33473.json"