Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33473

5.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month ago Activity log

Created suggestion 1 month ago

Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r x_refsource_CONFIRM
https://vikunja.io/changelog/vikunja-v2.2.0-was-released x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.2.2-was-released x_refsource_MISC

Affected products

vikunja

==>= 0.13, < 2.2.1

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.2.0
- nixos-25.11-small 2.2.0
- nixpkgs-25.11-darwin 2.2.0

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0

Package maintainers