Vulnerability Description
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vikunja | Vikunja | < 1.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514bPatch
- https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0ProductRelease Notes
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9vThird Party Advisory
- https://vikunja.io/changelog/vikunja-v1.1.0-was-releasedRelease NotesThird Party Advisory
FAQ
What is CVE-2026-25935?
CVE-2026-25935 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server ...
How severe is CVE-2026-25935?
CVE-2026-25935 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25935?
Check the references section above for vendor advisories and patch information. Affected products include: Vikunja Vikunja.