PatchSiren

Vikunja CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Vikunja CVE published 2026-07-10

CVE-2026-56765

A critical vulnerability was discovered in Vikunja, a project management platform, which allows for permission escalation and unauthorized access to file attachments across all projects instance-wide. The vulnerability is caused by an authorization flaw in the LinkSharing.ReadAll endpoint and insecure handling of task IDs in the GetTaskAttachment endpoint. This flaw enables attackers to escalate privilege [truncated]