CVE-2026-33474

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33474

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33474.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33474

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-24T15:21:19.628Z

Modified

2026-04-02T13:27:25.175095Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Vikunja Affected by DoS via Image Preview Generation

Details

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33474.json"
}

References

Affected packages

Git / github.com/go-vikunja/vikunja

Affected ranges

Type

GIT

Repo

https://github.com/go-vikunja/vikunja

Events

Introduced

0a7cc2b7df2d837ae295c748d1e9bf7f1a03dfd5

Fixed

b365be1881641dd2791d3dff4c26ad941c13cef6

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0-rc0"
        },
        {
            "fixed": "2.2.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.0-rc0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.1.0

v2.*

v2.0.0

v2.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33474.json"