CVE-2026-33474: Vikunja Affected by DoS via Image Preview Generation

March 20, 2026

Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images.
Affected code:
Decoding without bounds: task_attachment.go:GetPreview
Resizing path: resizeImage
Endpoint invoking preview: GetTaskAttachment
Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service.
CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

References

github.com/advisories/GHSA-wc83-79hj-hpmq
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq
nvd.nist.gov/vuln/detail/CVE-2026-33474

Code Behaviors & Features

Detect and mitigate CVE-2026-33474 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →