CVE-2026-35600
Vikunja prior to 2.3.0 is vulnerable to HTML Injection in overdue email notifications caused by embedding task titles directly in Markdown link syntax without escaping special characters. The task title is placed inside a Markdown link, which can break the link structure if it contains brackets, ...