Description
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
Published: 2026-02-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via Task Preview
Action: Patch
AI Analysis

Impact

The vulnerability arises when the application renders a task description inside an invisible div without sanitizing the content. A malicious user can create a task with arbitrary JavaScript in the description, which then executes when another user hovers over that task’s preview. This could permit arbitrary code execution, session hijacking, or phishing attacks in the victim’s browser, compromising confidentiality, integrity, and availability of the web session.

Affected Systems

The flaw affects the Vikunja task management application from the vendor go‑vikunja, specifically any release before version 1.1.0. Users running these earlier releases and sharing projects are susceptible to the attack.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity, but the EPSS score is reported as less than 1 %, indicating a low likelihood of exploitation as of the latest data. It is not listed in the CISA KEV catalog. However, because the flaw can be triggered by any user who can create a task in a shared project, the attack vector is likely an internal or trusted‑user context, and the vulnerability remains exploitable until the upstream patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 1.1.0 or later to apply the server‑side and client‑side sanitization fixes.
  • Remove or sanitize any existing tasks that contain potentially malicious content.
  • Disable hover task preview or restrict the feature to trusted users until the patch is deployed.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4g2-2q66-vc9v Vikunja Vulnerable to XSS Via Task Preview
History

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
Weaknesses CWE-79
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Wed, 11 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
Title Vikunja Affected by XSS Via Task Preview
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:17:32.417Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25935

cve-icon Vulnrichment

Updated: 2026-02-12T21:17:20.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:20.523

Modified: 2026-02-20T20:17:54.320

Link: CVE-2026-25935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses