CVE-2026-25935Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Vikunja

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting5 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.0%
top 97.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Go-vikunja VikunjaVikunjaCode.vikunja.io API
Timeline
PublishedFeb 11
Latest updateFeb 17

Description

Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDvikunja/vikunja< 1.1.0
CVEListV5go-vikunja/vikunja< 1.1.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Vikunja Vulnerable to XSS Via Task Preview in code.vikunja.io/api2026-02-17
OSV
Vikunja Vulnerable to XSS Via Task Preview2026-02-11
GHSA
Vikunja Vulnerable to XSS Via Task Preview2026-02-11

🕵️Threat Intelligence

1
Wiz
CVE-2026-25935 Impact, Exploitability, and Mitigation Steps | Wiz