Detections
Analytics

CVE-2026-35601

medium

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

https://github.com/go-vikunja/vikunja/pull/2580

Details

Source: Mitre, NVD

Published: 2026-04-10

Updated: 2026-04-10

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00028