CVE-2026-25935
MEDIUMvikunja/vikunja < 1.1.0 - Stored Cross-Site Scripting via Task Description Hover
Title source: llmDescription
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v
Patch x_refsource_misc
https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37
Release Notes x_refsource_misc
https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0
Various Sources x_refsource_misc
https://vikunja.io/changelog/vikunja-v1.1.0-was-released
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
CWE-80
Status
published
Products (2)
code.vikunja.io/api
0Go
vikunja/vikunja
< 1.1.0
Published
Feb 11, 2026
Tracked Since
Feb 18, 2026