Injection Vulnerability in Vikunja Task Management Platform
CVE-2026-35601

4.1MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35601?

The Vikunja task management platform has a vulnerability that allows for iCalendar property injection due to improper handling of user-controlled task titles. This issue arises from the CalDAV output generator's reliance on raw string concatenation, specifically failing to escape CRLF characters per RFC 5545 guidelines. This weakness can lead to unauthorized alteration of iCalendar entries, thereby permitting attackers to inject unwanted properties such as ATTACH, VALARM, or ORGANIZER. A patch to address this vulnerability was included in version 2.3.0.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2580
x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
x_refsource_MISC

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.