Vikunja
vikunja.io Web, Android LinuxVikunja is an open-source to-do application. It is suitable for a wide variety of projects, supporting List, Gantt, Table and Kanban views to visualize all tasks in different contexts. For collaboration, it has sharing support via private teams or public links. It can be self-hosted or used as a managed service for a small fee.
- Homepage: vikunja.io
- GitHub: github.com/go-vikunja/vikunja
- Web info: web-check.xyz/check/vikunja.io
Vikunja Source Code
Author
Description
The to-do app to organize your life.
Homepage
https://vikunja.ioLicense
AGPL-3.0
Created
28 Nov 18
Last Updated
09 Jun 26
Latest version
Primary Language
Go
Size
80,568 KB
Stars
4,476
Forks
492
Watchers
4,476
Language Usage
Star History
Top Contributors
-
@kolaente (6901)
-
@renovate[bot] (962)
-
@dpschen (778)
-
@vikunja-bot (178)
-
@tink-bot (78)
-
@Elscrux (35)
-
@Copilot (28)
-
@dependabot[bot] (25)
-
@maggch97 (17)
-
@WofWca (16)
-
@claude (13)
-
@JohnStarich (13)
-
@mdrkrg (13)
-
@xela-zone (6)
-
@adrinux (6)
-
@profi248 (5)
-
@jyte (4)
-
@davidangel (4)
-
@shilch (4)
-
@jtojnar (4)
-
@freaktechnik (4)
-
@andreymal (4)
-
@Tokra110 (3)
-
@eljef (3)
-
@LucaBernstein (3)
-
@mithileshgupta12 (3)
-
@NeoHuncho (3)
-
@rhclayto (3)
-
@Viehlieb (3)
-
@surfingbytes (3)
-
@zapp88 (2)
-
@bradmartin333 (2)
-
@azymondrian (2)
-
@vlasov-y (2)
-
@CrazyWolf13 (2)
-
@MGChecker (2)
-
@Quiwy (2)
-
@furai (2)
-
@KaibutsuX (2)
-
@javabrett (2)
-
@Saxos-Simone (1)
-
@subnut (1)
-
@TheEdgeOfRage (1)
-
@deadLocks21 (1)
-
@v-yarotsky (1)
-
@vovochka404 (1)
-
@XiangCany (1)
-
@TheZoker (1)
-
@blacksmith-sh[bot] (1)
-
@cr1xu5 (1)
-
@treysu (1)
-
@IAMSamuelRodda (1)
-
@remilapeyre (1)
-
@RyanHecht (1)
-
@RoboMagus (1)
-
@rhysmcneill (1)
-
@Rein-R3 (1)
-
@Raymi306 (1)
-
@capriolo (1)
-
@pano9000 (1)
-
@n-nkm (1)
-
@the-darkvoid (1)
-
@stephen-hill (1)
-
@SteffeyDev (1)
-
@simonsmd (1)
-
@rudd6617 (1)
-
@rriski (1)
-
@primeapple (1)
-
@nithinvarma411 (1)
-
@naleo (1)
-
@leggettc18 (1)
-
@kompetenzbolzen (1)
-
@jontyms (1)
-
@jonastheis (1)
-
@jayden-chan (1)
-
@j-hugo (1)
-
@graves501 (1)
-
@erri120 (1)
-
@edelgrace (1)
-
@earnestma (1)
-
@devadattas (1)
-
@hcuk94 (1)
-
@HarryEMartland (1)
-
@hangya (1)
-
@Jackymancs4 (1)
-
@Hudint (1)
-
@fleaz (1)
-
@ZeWaren (1)
-
@SDonCode (1)
-
@waza-ari (1)
-
@danstewart (1)
-
@JimChr-R4GN4R (1)
-
@civascu (1)
-
@chau-intl (1)
-
@Bouni (1)
-
@Biagio00 (1)
-
@belidzs (1)
-
@ariep (1)
-
@thelicato (1)
-
@vonalbert (1)
Recent Commits
-
chore(deps): update dev-dependencies to v8.61.0
-
feat(labels): let bot owners manage labels created by their bots Bot owners inherit read/update/delete permission on labels created by bots they own, mirroring the bot-owner branch already used by API tokens (see api_tokens_permissions.go). Without this, a label a bot creates is permanently locked to that bot and the human owner cannot maintain it. https://claude.ai/code/session_016x6mUPJuuQEeXpHY814iLh
-
chore(deps): update devenv
-
chore(i18n): update translations via Crowdin
-
[skip ci] Updated swagger docs
-
refactor(time-tracking): drop the now-redundant duration clamp in the entry list
-
fix(time-tracking): reject inverted time-entry intervals
-
test(time-tracking): add end-to-end coverage
-
i18n(time-tracking): add the time-tracking UI strings
-
feat(time-tracking): configure the smart-fill start time in settings
-
feat(time-tracking): add the time-tracking view
-
feat(time-tracking): add the task-detail time-tracking section
-
feat(time-tracking): add the sidebar navigation entry
-
feat(time-tracking): show a running-elsewhere badge in the header
-
feat(time-tracking): add the timer badge
-
feat(time-tracking): add the time-entry list
-
feat(time-tracking): add the time-entry form
-
feat(time-tracking): extract the smart-fill start computation
-
feat(date): accept a null modelValue in DatepickerWithRange
-
feat(date): show the matching preset name on the date-range button
-
feat(input): add quick-select shortcuts to the Datepicker
-
feat(time-tracking): add the time-tracking store
-
feat(time-tracking): add the v2 time-entry service
-
refactor(config): add PRO_FEATURE constants for licensed features
-
fix(api/v2): expose v2-only token route groups via the routes endpoint
-
fix(api/v2): group time-entries token routes under their own scope
-
test(time-tracking): cover the v2 time-entry routes
-
test(time-tracking): cover the time_entries model
-
feat(time-tracking): let clients subscribe to timer events
-
feat(time-tracking): broadcast timer changes over websocket
Vikunja Security
Security Advisories (36)
- medium Unpatched CVSS 4.3
CVE-2026-40103 Scoped API tokens with projects.background permission can delete project backgrounds
- high Patched CVSS 7.4
CVE-2026-34727 TOTP Two-Factor Authentication Bypass via OIDC Login Path
- medium Patched CVSS 4.1
CVE-2026-35601 iCalendar Property Injection via CRLF in CalDAV Task Output
- medium Patched CVSS 5.4
CVE-2026-35600 HTML Injection via Task Titles in Overdue Email Notifications
- medium Patched CVSS 6.5
CVE-2026-35599 Algorithmic Complexity DoS in Repeating Task Handler
- medium Patched CVSS 5.4
CVE-2026-35602 File Size Limit Bypass via Vikunja Import
- medium Patched CVSS 4.3
CVE-2026-35598 Missing Authorization on CalDAV Task Read
- medium Patched CVSS 5.9
CVE-2026-35597 TOTP Brute-Force Due to Non-Functional Account Lockout
- medium Patched CVSS 4.3
CVE-2026-35596 Broken Access Control on Label Read via SQL Operator Precedence Bug
- high Patched CVSS 8.3
CVE-2026-35595 Privilege Escalation via Project Reparenting
- medium Patched CVSS 6.5
CVE-2026-35594 Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
- medium Patched
CVE-2026-33700 Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
- high Patched
CVE-2026-33668 Disabled/Locked User Accounts Can Still Authenticate via API Tokens, CalDAV, and OpenID Connect
- medium Patched CVSS 6.4
CVE-2026-33679 SSRF via OpenID Connect Avatar Download Bypasses Webhook SSRF Protections
- medium Patched CVSS 6.4
CVE-2026-33675 SSRF via Todoist/Trello Migration File Attachment URLs Allows Reading Internal Network Resources
- medium Patched CVSS 6.5
CVE-2026-33676 Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
- medium Patched CVSS 6.5
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
- high Patched CVSS 8.1
CVE-2026-33678 IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
- high Patched CVSS 7.5
CVE-2026-33680 Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
- critical Patched CVSS 9.1
GHSA-2pv8-4c52-mf8j Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
- high Unpatched
CVE-2026-33334 Any frontend XSS escalates to Remote Code Execution due to nodeIntegration in Vikunja Desktop
- high Unpatched
CVE-2026-33335 Arbitrary local application invocation via unvalidated shell.openExternal in Vikunja Desktop
- critical Unpatched
CVE-2026-33336 Remote Code Execution via same-window navigation in Vikunja Desktop
- medium Patched
CVE-2026-33313 IDOR in Task Comments Allows Reading Arbitrary Comments
- medium Unpatched
CVE-2026-33312 Read-only users can delete project background images via broken object-level authorization
- medium Patched
CVE-2026-33315 2FA Bypass via Caldav Basic Auth
- high Patched CVSS 8.1
CVE-2026-33316 Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
- medium Unpatched CVSS 5.7
CVE-2026-33473 TOTP Reuse During Validity Window
- high Unpatched
CVE-2026-33474 DoS via Image Preview Generation
- medium Unpatched CVSS 5.3
CVE-2026-29794 Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
- critical Patched CVSS 9.8
CVE-2026-28268 Account Takeover via Password Reset Token Reuse
- high Patched CVSS 7.2
CVE-2026-27819 Path Traversal in CLI Restore
- critical Patched CVSS 9.1
CVE-2026-27575 Weak Password Policy Combined with Persistent Sessions After Password Change
- high Patched CVSS 7.3
CVE-2026-27616 Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure
- medium Patched CVSS 6.1
CVE-2026-27116 Reflected HTML Injection via filter Parameter in Projects Module
- high Unpatched
CVE-2026-25935 XSS Via Task Preview
Vikunja Website
Website
Vikunja: The task manager you actually own
Vikunja is open-source task management you can self-host. Lists, Kanban, Gantt, and more — on your server or ours. Made and hosted in the EU.
Redirects
Does not redirect
Security Checks
All 65 security checks passed
Server Details
- IP Address 104.21.47.206
- Location San Francisco, California, United States of America, NA
- ISP CloudFlare Inc.
- ASN AS13335
Associated Countries
-
US -
DE
Safety Score
Website marked as safe
100%
Blacklist Check
vikunja.io was found on 0 blacklists
- AntiSocial Blacklist
- Artists Against 419
- Badbitcoin
- Bambenek Consulting
- CERT Polska
- CoinBlockerLists
- CRDF
- CryptoScamDB
- EtherAddressLookup
- EtherScamDB
- Fake Website Buster
- MetaMask EthPhishing
- NABP Not Recommended Sites
- OpenPhish
- PetScams
- PhishFeed
- PhishFort
- Phishing.Database
- PhishStats
- PhishTank
- Phishunt
- RPiList Not Serious
- Scam.Directory
- SecureReload Phishing List
- Spam404
- StopGunScams
- Suspicious Hosting IP
- ThreatFox
- ThreatLog
- TweetFeed
- URLhaus
- ViriBack C2 Tracker
Website Preview
Vikunja Docker
Container Info
Vikunja
The to-do app to organize your life.| Before use create custom template and Edit: VIKUNJA_SERVICE_FRONTENDURL , VIKUNJA_API_URL & VIKUNJA_SERVICE_JWTSECRET
Run Command
docker run -d \
-e PUID=${PUID} \
-e PGID=${PGID} \
-e PORT=${PORT} \
Compose File
version: 3.8
services:
vikunja:
environment:
PUID: 1000
PGID: 1000
PORT: Environment Variables
- Var Name Default
- PUID 1000
- PGID 1000
- PORT null
Vikunja Reviews
More Cloud Productivity Suites
-
A zero knowledge cloud productivity suite. Provides Rich Text, Presentations, Spreadsheets, Kanban, Paint a code editor and file drive. All notes and user content, are encrypted by default, and can only be accessed with specific URL. The main disadvantage, is a lack of Android, iOS and desktop apps - CryptPad is entirely web-based. You can use their web service, or you can host your own instance. Price for hosted: free for 50mb or $5/ month for premium.
-
A platform providing online services based on principles of freedom, privacy, federation and decentralization. It is an implementation of NextCloud, with strong encryption configured - it is widely used by journalists, activists and whistle-blowers. It is free to use, but there have been reported reliability issues of the cloud services.
-
A complete self-hosted productivity platform, with a strong community and growing app store. NextCloud is similar to (but arguably more complete than) Google Drive, Office 365 and Dropbox. Clear UI and stable native apps across all platforms, and also supports file sync. Supports encrypted files, but you need to configure this yourself. Fully open source.
-
An open source platform for self-hosting web apps. Once you've set it up, you can install items from the Sandstorm App Market with -click, similar to NextCloud in terms of flexibility.
About the Data: Vikunja
Change History
- Added #36
API
You can access Vikunja's data programmatically via our API. Simply make a GET request to:
https://api.awesome-privacy.xyz/v1/services/vikunjaThe REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.
Share Vikunja
Help your friends compare Cloud Productivity Suites, and pick
privacy-respecting software and services.
Share Vikunja and Awesome Privacy with your network!