CVE-2026-35601 — CRLF Injection in Vikunja

CWE-93 — CRLF Injection3 documents3 sources

Severity

4.1MEDIUMNVD

EPSS

0.0%

top 92.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:NExploitability: 2.3 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output↗2026-04-10

▶

VulDB

go-vikunja up to 2.2.x iCalendar VTODO Entry crlf injection (GHSA-2g7h-7rqr-9p4r)↗2026-04-10

▶