Vulnerability Details CVE-2026-33312
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.4%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-33312
-
cpe:2.3:a:vikunja:vikunja:0.20.2
-
cpe:2.3:a:vikunja:vikunja:0.20.3
-
cpe:2.3:a:vikunja:vikunja:0.20.4
-
cpe:2.3:a:vikunja:vikunja:0.20.5
-
cpe:2.3:a:vikunja:vikunja:0.21.0
-
cpe:2.3:a:vikunja:vikunja:0.22.0
-
cpe:2.3:a:vikunja:vikunja:0.22.1
-
cpe:2.3:a:vikunja:vikunja:0.23.0
-
cpe:2.3:a:vikunja:vikunja:0.24.0
-
cpe:2.3:a:vikunja:vikunja:0.24.1
-
cpe:2.3:a:vikunja:vikunja:0.24.2
-
cpe:2.3:a:vikunja:vikunja:0.24.3
-
cpe:2.3:a:vikunja:vikunja:0.24.4
-
cpe:2.3:a:vikunja:vikunja:0.24.5
-
cpe:2.3:a:vikunja:vikunja:0.24.6
-
cpe:2.3:a:vikunja:vikunja:1.0.0
-
cpe:2.3:a:vikunja:vikunja:1.1.0
-
cpe:2.3:a:vikunja:vikunja:2.0.0
-
cpe:2.3:a:vikunja:vikunja:2.1.0