Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: iCalendar property injection leading to arbitrary property execution
Action: Apply patch
AI Analysis

Impact

Vikunja relied on raw string concatenation when building iCalendar VTODO entries for CalDAV output. A title containing CRLF characters can break the iCalendar property boundary, making it possible to inject arbitrary properties such as ATTACH, VALARM, or ORGANIZER. The vulnerability enables an attacker to embed malicious iCalendar content, potentially leading to the execution of arbitrary attachments or manipulation of calendar data. While the injection does not immediately grant code execution on the host, it can compromise data integrity and could be leveraged in downstream applications to deliver malware.

Affected Systems

The open-source self‑hosted task management platform Vikunja (go‑vikunja:vikunja) is affected. All releases prior to version 2.3.0 build CalDAV feeds without proper escaping and are vulnerable.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity. EPSS information is not available, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by creating or modifying a task title with CRLF characters, which any client fetching the CalDAV feed can trigger. Because the vulnerability is present in every install before 2.3.0, the risk is widespread as long as the legacy version remains in use.

Generated by OpenCVE AI on April 10, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.3.0 or later.

Generated by OpenCVE AI on April 10, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g7h-7rqr-9p4r Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
History

Fri, 17 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
Title Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:37:03.974Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35601

cve-icon Vulnrichment

Updated: 2026-04-13T15:25:31.988Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:03.837

Modified: 2026-04-17T21:56:20.487

Link: CVE-2026-35601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:27Z

Weaknesses