Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g7h-7rqr-9p4r Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
History

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
Title Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T16:08:50.519Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35601

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T17:17:03.837

Modified: 2026-04-10T17:17:03.837

Link: CVE-2026-35601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses