Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
References
| Link | Resource |
|---|---|
| https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37 | Patch |
| https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0 | Product Release Notes |
| https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v | Third Party Advisory |
| https://vikunja.io/changelog/vikunja-v1.1.0-was-released | Release Notes Third Party Advisory |
Configurations
History
20 Feb 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| First Time |
Vikunja
Vikunja vikunja |
|
| CPE | cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* | |
| References | () https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37 - Patch | |
| References | () https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0 - Product, Release Notes | |
| References | () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v - Third Party Advisory | |
| References | () https://vikunja.io/changelog/vikunja-v1.1.0-was-released - Release Notes, Third Party Advisory |
11 Feb 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-11 21:16
Updated : 2026-02-20 20:17
NVD link : CVE-2026-25935
Mitre link : CVE-2026-25935
CVE.ORG link : CVE-2026-25935
JSON object : View
Products Affected
vikunja
- vikunja