CVE-2026-33473

EUVD-2026-20081
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
vikunjavikunja
0.13 ≤
𝑥
< 2.2.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r
https://vikunja.io/changelog/vikunja-v2.2.0-was-released
https://vikunja.io/changelog/vikunja-v2.2.2-was-released