CVE-2026-33700

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. A flaw exists where the DELETE /api/v1/projects/:project/shares/:share endpoint does not confirm that the link share belongs to the project specified in the URL. An attacker with administrator privileges for any project can delete link shares from other projects by using their own project ID along with the target share ID.

Recommendations Update to version 2.2.1 or later.