Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-35599

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 4 days, 4 hours ago

Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7 x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2577 x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 x_refsource_MISC

Affected products

vikunja

==< 2.3.0

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@kolaente Konrad Langenberg <k@knt.li>