@vikunja.io on Bluesky

JavaScript RequiredThis is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is. Learn more about Bluesky at bsky.social and atproto.com.

Post

Vikunja

vikunja.io

did:plc:7jna43jwqkxupyohrkltsscc

Concrete case in Vikunja: CVE-2026-28268. Password reset tokens weren't cleaned up after use. The bug had been there since v0.18.0, shipped September 2021. Almost 5 years. It got caught because the code was public, and a researcher (probably with AI) could look at it and report it responsibly.

2026-04-17T11:25:53.825Z