Zero-DayCVE-2026-28268CVSS 9.8

CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password r

NVD/CVE · [email protected]2/28/2026, 2:16:18 AM 98 points

Summary

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

Metadata

Article ID: #377
Source: NVD/CVE
Scraped At: 3/2/2026, 7:10:21 AM
URL Hash: d9f024a0283ca810…

CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password r

Summary

Tags

Metadata