CVE-2026-27575CRITICAL 9.1EPSS p34.1%

CVE-2026-27575CVE-2026-27575

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.43% probability of exploitation · percentile 34.1% · 2026-06-18T12:00:27Z
Published2026-02-25
Last modified2026-03-05

Underlying weaknesses· 2

CWE-521CWE-613

References

  1. https://github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8
  2. https://vikunja.io/changelog/vikunja-v2.0.0-was-released

2

TypeTargetConfidenceTier
WeaknessWeak Password Requirementscwe-5210%live
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33316
CVE
CVE-2026-28268
CVE
CVE-2026-33668
CVE
CVE-2026-34727
CVE
CVE-2026-33678
CVE
CVE-2026-35595
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.