Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33675

6.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): LOW

created 3 weeks ago

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.2.2-was-released x_refsource_MISC
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr exploit

Affected products

vikunja

==< 2.2.1

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.2.0
- nixos-25.11-small 2.2.0
- nixpkgs-25.11-darwin 2.2.0

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0

Package maintainers