4 matches found
CVE-2026-35601
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...
CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...
PT-2026-31952
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja, a self-hosted task management platform, has an issue where the CalDAV output generator doesn't properly escape characters in iCalendar VTODO entries. Specifically, user-controlled task title...