CVE-2026-35601
MEDIUMVikunja <2.3.0 CalDAV Task Output - iCalendar Property Injection
Title source: manualDescription
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/pull/2580
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
Scores
CVSS v3
4.1
EPSS
0.0020
EPSS Percentile
9.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-93
Status
published
Products (3)
code.vikunja.io/api
0 - 2.3.0Go
go-vikunja/vikunja
< 2.3.0
vikunja/vikunja
< 2.3.0
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026