CVE-2026-35602

Name of the Vulnerable Software and Affected Versions: Vikunja versions prior to 2.3.0

Description: The Vikunja file import endpoint incorrectly uses the attacker-controlled Size field from the JSON metadata within an import zip file instead of the actual decompressed file content length for file size enforcement. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker can bypass the configured maximum file size limit. This allows an authenticated user to exhaust server storage by uploading small compressed zip files that decompress into files exceeding the configured maximum file size limit. A single small upload can store a significantly larger amount of data due to zip compression ratios. Repeated exploitation can fill the server's disk, causing a denial of service for all users.

Recommendations: Update to version 2.3.0 or later. As a mitigation, ensure the NewAttachment function uses the actual content length of the file instead of the attacker-controlled Size field: err = a.NewAttachment(s, bytes.NewReader(a.File.FileContent), a.File.Name, uint64(len(a.File.FileContent)), user)