CVE-2026-35601
published 2026-04-10CVE-2026-35601: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string…
PriorityP422medium4.1CVSS 3.1
AVNACLPRLUIRSCCNILAN
EPSS
0.20%
9.5th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
ghsa·2026-04-10
CVE-2026-35601 [MEDIUM] CWE-93 Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
## Summary
The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as `ATTACH`, `VALARM`, or `ORGANIZER`.
## Details
The `ParseTodos` function at `pkg/caldav/caldav.go:146` concatenates the task summary directly into the iCalendar output:
```go
SUMMARY:` + t.Summary + getCaldavColor(t.Color)
```
RFC 5545 Section 3.3.11 requires TEXT property values to escape newlines as `\n`, semicolons as `\;`, commas as `\,`, and backslashes as `\\`. None of these escaping rules are applied to `Summar
VulDB
go-vikunja up to 2.2.x iCalendar VTODO Entry crlf injection (GHSA-2g7h-7rqr-9p4r)
vuldb·2026-04-10·CVSS 4.1
CVE-2026-35601 [MEDIUM] go-vikunja up to 2.2.x iCalendar VTODO Entry crlf injection (GHSA-2g7h-7rqr-9p4r)
A vulnerability marked as problematic has been reported in go-vikunja vikunja up to 2.2.x. This impacts an unknown function of the component iCalendar VTODO Entry Handler. Performing a manipulation results in crlf injection.
This vulnerability is identified as CVE-2026-35601. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published