GHSA-M4G2-2Q66-VC9V

Vulnerability from github – Published: 2026-02-11 18:39 – Updated: 2026-02-11 23:14
VLAI?
Summary
Vikunja Vulnerable to XSS Via Task Preview
Details

Summary

The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task

Details

In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover.

PoC

  1. Create a project
  2. Create a task with any description
  3. Use the api to update the task with a description containing unescaped HTML (ex: <img src=x onerror="alert(localStorage.getItem('token'))">
  4. Share the project with any permission level
  5. Send malicious project to user and ask them to view task

Impact

Any user on an instance can cause an XSS on another

Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T18:39:34Z",
    "nvd_published_at": "2026-02-11T21:16:20Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe task preview component creates a unparented div. The div\u0027s `innerHtml` is set to the unescaped description of the task\n\n### Details\nIn the `TaskGlanceTooltip.vue` it temporarily creates a div and sets the `innerHtml` to the description [here](https://github.com/go-vikunja/vikunja/blob/cdca79032526966cb248b72bddcf2a0f888c8a8f/frontend/src/components/tasks/partials/TaskGlanceTooltip.vue#L118). Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover.\n\n### PoC\n1. Create a project\n2. Create a task with any description\n3. Use the api to update the task with a description containing unescaped HTML (ex: `\u003cimg src=x onerror=\"alert(localStorage.getItem(\u0027token\u0027))\"\u003e`\n4. Share the project with any permission level\n5. Send malicious project to user and ask them to view task\n\n### Impact\nAny user on an instance can cause an XSS on another",
  "id": "GHSA-m4g2-2q66-vc9v",
  "modified": "2026-02-11T23:14:19Z",
  "published": "2026-02-11T18:39:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v1.1.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vikunja Vulnerable to XSS Via Task Preview"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.