CVE-2026-35601

MEDIUM

Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Title source: cna

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

References (3)

Scores

CVSS v3 4.1
EPSS 0.0003
EPSS Percentile 7.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Details

CWE
CWE-93
Status published
Products (3)
code.vikunja.io/api 0 - 2.3.0Go
go-vikunja/vikunja < 2.3.0
vikunja/vikunja < 2.3.0
Published Apr 10, 2026
Tracked Since Apr 10, 2026