CVE-2026-35599

Name of the Vulnerable Software and Affected Versions: Vikunja versions prior to 2.3.0

Description: Vikunja, a self-hosted task management platform, contains an issue where the addRepeatIntervalToTime function uses an inefficient loop. An attacker can create a repeating task with a 1-second interval and a due date far in the past, triggering billions of loop iterations. This consumes significant CPU resources and holds database connections for extended periods. The vulnerable function is located at pkg/models/tasks.go:1456-1464. The RepeatAfter field accepts any positive integer, and DueDate accepts any valid timestamp, including dates in the past. When a task with repeat after=1 and due date=1900-01-01 is marked as done, the loop runs approximately 4 billion iterations, potentially exhausting database connections. This can render the Vikunja instance unresponsive, impacting all users.

Recommendations: Upgrade to Vikunja version 2.3.0 or later.