Back to search
CVE-2026-25935
Published: Feb 11, 2026
Modified: Feb 12, 2026
PUBLISHED
Description
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
| Vendor | Product | Versions |
|---|---|---|
go-vikunja | vikunja | affected < 1.1.0 |
Weaknesses (CWE)
References
https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0
x_refsource_MISC
https://vikunja.io/changelog/vikunja-v1.1.0-was-released
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now