CVE-2026-33675

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. Prior to version 2.2.1, the DownloadFile and DownloadFileWithHeaders functions within the pkg/modules/migration/helpers.go file do not have Server-Side Request Forgery (SSRF) protection. During Todoist or Trello migrations, file attachment URLs from the third-party API responses are directly used by these functions. This allows an attacker to make the Vikunja server request internal network resources and return the response as a downloadable task attachment. The vulnerable functions are DownloadFile and DownloadFileWithHeaders.

Recommendations Update to version 2.2.1 or later.