SCA: security update for code.vikunja.io/api (GHSA-g9xj-752q-xh63)

high Tenable Self-Hosted Container Security Plugin ID 439233

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the
`DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when
downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their
OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or
cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook
system. Version 2.2.1 patches the issue. (CVE-2026-33679)

Solution

Update the code.vikunja.io/api library and its related packages to version 2.2.1 or later.

See Also

https://github.com/advisories/GHSA-g9xj-752q-xh63

Plugin Details

Severity: High

ID: 439233

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/26/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.1

Percentile: 49.59

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2026-33679

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/25/2026

Vulnerability Publication Date: 3/24/2026

Reference Information

CVE: CVE-2026-33679

cwe: CWE-918