Home

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-10 | Updated 2026-04-13 | Assigner GitHub_M




MEDIUM: 4.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Problem types

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Product status

< 2.3.0
affected

References

github.com/...ikunja/security/advisories/GHSA-2g7h-7rqr-9p4r exploit

github.com/...ikunja/security/advisories/GHSA-2g7h-7rqr-9p4r

github.com/go-vikunja/vikunja/pull/2580

github.com/go-vikunja/vikunja/releases/tag/v2.3.0

cve.org (CVE-2026-35601)

nvd.nist.gov (CVE-2026-35601)

Download JSON