Login Sign Up

CVE-2026-25935

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Vikunja todo application where malicious HTML/JavaScript can be injected into task descriptions. When users hover over affected tasks, the injected code executes in their browser context. All Vikunja instances running versions before 1.1.0 are affected.

💻 Affected Systems

Products:
  • Vikunja
Versions: All versions prior to 1.1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with task sharing enabled are vulnerable. The vulnerability requires a malicious user to create or modify tasks.

📦 What is this software?

Vikunja by Vikunja

View all CVEs affecting Vikunja →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed within the Vikunja application.

🟢

If Mitigated

Limited impact if proper content security policies are enforced and users have minimal privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated user to create malicious task and another user to hover over it. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v

Restart Required: No

Instructions:

1. Backup your Vikunja instance. 2. Update to version 1.1.0 or later using your package manager or download from GitHub releases. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable task sharing

all

Prevent users from sharing projects/tasks to limit attack surface

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Add 'Content-Security-Policy: default-src 'self'' to web server configuration

🧯 If You Can't Patch

  • Disable hover tooltips in TaskGlanceTooltip.vue component
  • Implement input validation to sanitize HTML in task descriptions

🔍 How to Verify

Check if Vulnerable:

Check Vikunja version in admin panel or via API. If version is below 1.1.0, you are vulnerable.

Check Version:

Check Vikunja web interface admin panel or run: docker exec vikunja ./vikunja version

Verify Fix Applied:

After updating to 1.1.0+, verify that HTML in task descriptions is properly escaped when displayed in tooltips.

📡 Detection & Monitoring

Log Indicators:

  • Unusual task creation/modification patterns
  • Multiple failed login attempts followed by task creation

Network Indicators:

  • Suspicious JavaScript payloads in HTTP POST requests to task endpoints

SIEM Query:

source="vikunja" AND (event="task_create" OR event="task_update") AND description CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2026-25935
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-80
EPSS Score: 0.02% exploit probability (2.8th percentile)
Published: February 11, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25935, you might also want to check these:

CVE-2023-39216 9.6

An improper input validation vulnerability in Zoom Desktop Client for Windows allows unauthenticated...

Same vulnerability type (CWE-80)
CVE-2024-52300 9.0

CVE-2024-52300 is a cross-site scripting (XSS) vulnerability in the macro-pdfviewer component for XW...

Same vulnerability type (CWE-80)
CVE-2024-41947 9.0

This XWiki vulnerability allows attackers to inject and execute JavaScript code in the context of hi...

Same vulnerability type (CWE-80)