{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35600", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.162Z", "datePublished": "2026-04-10T16:07:07.846Z", "dateUpdated": "2026-04-14T15:01:18.724Z"}, "containers": {"cna": {"title": "Vikunja has HTML Injection via Task Titles in Overdue Email Notifications", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2580", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2580"}, {"name": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64"}, {"name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:07:07.846Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-45q4-x4r9-8fqj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:01:04.698920Z", "id": "CVE-2026-35600", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:01:18.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35600", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:01:04.698920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:01:13.639Z"}}], "cna": {"title": "Vikunja has HTML Injection via Task Titles in Overdue Email Notifications", "source": {"advisory": "GHSA-45q4-x4r9-8fqj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2580", "name": "https://github.com/go-vikunja/vikunja/pull/2580", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64", "name": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:07:07.846Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35600", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:01:18.724Z", "dateReserved": "2026-04-03T21:25:12.162Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T16:07:07.846Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-35600", "lastModified": "2026-04-17T21:56:40.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T17:17:03.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2580"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-10T17:21:31.970378+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.3.0 or newer, where the injection issue is fixed.", "If upgrading immediately is not possible, disable or suppress overdue email notifications until a patch can be applied.", "Review existing task titles for embedded HTML or Markdown constructs and correct or escape them manually.", "Consider enabling stricter email content filtering to block suspicious HTML tags if notifications cannot be disabled."], "summary": {"action": "Immediate Patch", "impact": "Phishing/Tracking via Email"}, "threat_synthesis": {"affected_systems": "The flaw affects all instances of Vikunja running any version older than 2.3.0. The CNA lists the product as go\u2011vikunja:vikunja. Users deploying the open\u2011source platform in self\u2011hosted environments are at risk until they update to the patched release.", "description_and_impact": "Vikunja, an open\u2011source self\u2011hosted task management platform, renders task titles directly inside Markdown link syntax in overdue email notifications. Prior to version 2.3.0 the Markdown engine (goldmark) and sanitiser (bluemonday) do not escape special characters, allowing an attacker to embed malicious Markdown that translates into untrusted HTML when the email is rendered. This can produce phishing links or tracking pixels within legitimate notification emails. The vulnerability does not grant arbitrary code execution but enables social\u2011engineering attacks and covert monitoring of user interactions with those emails.", "risk_and_exploitability": "The CVSS base score is 5.4, indicating a medium severity. EPSS information is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is remote via email notifications sent to end users; an attacker needs the ability to create or edit a task title containing malicious content. Exploitation is straightforward for anyone with write access to tasks, making the risk significant for environments with insufficient user controls."}}}}, "created": "2026-04-13T12:44:00.629336+00:00", "updated": "2026-04-13T13:00:28.772664+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}