Affected by GO-2026-4480
and 21 other vulnerabilities
GO-2026-4480: Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api
GO-2026-4551: Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change in code.vikunja.io/api
GO-2026-4552: Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
GO-2026-4553: Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api
GO-2026-4556: Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api
GO-2026-4575: Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
GO-2026-4791: Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api
GO-2026-4794: Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api
GO-2026-4795: Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api
GO-2026-4797: Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api
GO-2026-4798: Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api
GO-2026-4805: Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
GO-2026-4811: Vikunja Affected by DoS via Image Preview Generation in code.vikunja.io/api
GO-2026-4846: Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api
GO-2026-4847: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
GO-2026-4848: Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
GO-2026-4849: Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api
GO-2026-4850: Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api
GO-2026-4851: Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources in code.vikunja.io/api
GO-2026-4852: Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
GO-2026-4853: Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api
GO-2026-4855: Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api
Migrate takes a vikunja file export, parses it and imports everything in it into Vikunja.
@Summary Import all projects, tasks etc. from a Vikunja data export
@Description Imports all projects, tasks, notes, reminders, subtasks and files from a Vikunjda data export into Vikunja.
@tags migration
@Accept x-www-form-urlencoded
@Produce json
@Security JWTKeyAuth
@Param import formData string true "The Vikunja export zip file."
@Success 200 {object} models.Message "A message telling you everything was migrated successfully."
@Failure 500 {object} models.Message "Internal server error"
@Router /migration/vikunja-file/migrate [post]
Name is used to get the name of the vikunja-file migration - we're using the docs here to annotate the status route.
@Summary Get migration status
@Description Returns if the current user already did the migation or not. This is useful to show a confirmation message in the frontend if the user is trying to do the same migration again.
@tags migration
@Produce json
@Security JWTKeyAuth
@Success 200 {object} migration.Status "The migration status"
@Failure 500 {object} models.Message "Internal server error"
@Router /migration/vikunja-file/status [get]
Affected by 
Documentation
¶
Source Files