CVE-2026-35602: Vikunja has File Size Limit Bypass via Vikunja Import

April 10, 2026

The Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit.

References

github.com/advisories/GHSA-qh78-rvg3-cv54
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/pull/2575
github.com/go-vikunja/vikunja/releases/tag/v2.3.0
github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54
nvd.nist.gov/vuln/detail/CVE-2026-35602

Code Behaviors & Features

Detect and mitigate CVE-2026-35602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →