CVE-2026-33473

EUVD-2026-14175
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
GitHub_MCNA
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
vikunjavikunja
0.13 ≤
𝑥
< 2.2.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r
https://vikunja.io/changelog/vikunja-v2.2.0-was-released
https://vikunja.io/changelog/vikunja-v2.2.2-was-released