2 matches found
GHSA-45Q4-X4R9-8FQJ Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...
PT-2026-31951
Name of the Vulnerable Software and Affected Versions: Vikunja versions prior to 2.3.0 Description: Vikunja, a self-hosted task management platform, was found to have an issue where task titles were directly embedded into Markdown link syntax in overdue email notifications without proper escaping...