CVE-2026-35599

EUVD-2026-21426

10.04.2026, 17:17

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Affected Products (NVD)

Vendor	Product	Version
vikunja	vikunja	𝑥 < 2.3.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7

Common Weakness Enumeration

CWE-407 - Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

References

https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b

https://github.com/go-vikunja/vikunja/pull/2577

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7