CVE-2026-35600

MEDIUM

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Title source: cna

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj

X_Refsource_Misc x_refsource_misc

https://github.com/go-vikunja/vikunja/pull/2580

X_Refsource_Misc x_refsource_misc

https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

Scores

CVSS v3 5.4

EPSS 0.0019

EPSS Percentile 9.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

code.vikunja.io/api 0 - 2.3.0Go

go-vikunja/vikunja < 2.3.0

vikunja/vikunja < 2.3.0

Published Apr 10, 2026

Tracked Since Apr 10, 2026