Vikunja, an open‑source self‑hosted task management platform, renders task titles directly inside Markdown link syntax in overdue email notifications. Prior to version 2.3.0 the Markdown engine (goldmark) and sanitiser (bluemonday) do not escape special characters, allowing an attacker to embed malicious Markdown that translates into untrusted HTML when the email is rendered. This can produce phishing links or tracking pixels within legitimate notification emails. The vulnerability does not grant arbitrary code execution but enables social‑engineering attacks and covert monitoring of user interactions with those emails.

The flaw affects all instances of Vikunja running any version older than 2.3.0. The CNA lists the product as go‑vikunja:vikunja. Users deploying the open‑source platform in self‑hosted environments are at risk until they update to the patched release.

The CVSS base score is 5.4, indicating a medium severity. EPSS information is not provided, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote via email notifications sent to end users; an attacker needs the ability to create or edit a task title containing malicious content. Exploitation is straightforward for anyone with write access to tasks, making the risk significant for environments with insufficient user controls.