CVE-2026-25935

Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS o...

GHSA-M4G2-2Q66-VC9V Vikunja Vulnerable to XSS Via Task Preview

Summary The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task Details In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or...

Vikunja Vulnerable to XSS Via Task Preview

Summary The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task Details In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or...

PT-2026-7716

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 1.1.0 Description Vikunja, a todo-app, contains a cross-site scripting XSS issue in the task preview mechanism. The TaskGlanceTooltip.vue component creates a temporary div and sets its innerHtml to the task descriptio...