UNKNOWN Go
Vikunja Vulnerable to XSS Via Task Preview
GHSA-m4g2-2q66-vc9v · CVE-2026-25935 · GO-2026-4480
Published · Modified
Description
Summary
The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task
Details
In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover.
PoC
- Create a project
- Create a task with any description
- Use the api to update the task with a description containing unescaped HTML (ex:
<img src=x onerror="alert(localStorage.getItem('token'))"> - Share the project with any permission level
- Send malicious project to user and ask them to view task
Impact
Any user on an instance can cause an XSS on another
References
- WEB https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-25935
- WEB https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37
- PACKAGE https://github.com/go-vikunja/vikunja
- WEB https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0
- WEB https://vikunja.io/changelog/vikunja-v1.1.0-was-released
Ready to move
Start Securing
Free, no credit card | First findings in minutes