CVE-2026-35600

MEDIUM 5.4

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

9th

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.

CWE	CWE-79
Vendor	go-vikunja
Product	vikunja
Published	Apr 10, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for go-vikunja vikunja

Be the first to know when new medium vulnerabilities affecting go-vikunja vikunja are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

go-vikunja / vikunja

< 2.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj github.com: https://github.com/go-vikunja/vikunja/pull/2580 github.com: https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64 github.com: https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0