18 matches found
CVE-2026-35601
CVE-2026-35601 affects Vikunja prior to 2.3.0 where the CalDAV output generator concatenates iCalendar VTODO fields without RFC 5545 escaping. User-controlled task titles containing CRLF can break the SUMMARY boundary, enabling injection of arbitrary iCalendar properties such as ATTACH, VALARM, o...
CVE-2026-35600
Vikunja prior to 2.3.0 is vulnerable to HTML Injection in overdue email notifications caused by embedding task titles directly in Markdown link syntax without escaping special characters. The task title is placed inside a Markdown link, which can break the link structure if it contains brackets, ...
CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...
CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
EUVD-2026-21427
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...
GHSA-45Q4-X4R9-8FQJ Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the email notification rendering process. An attacker can inject arbitrary HTML content, such as phishing links or tracking images, by crafting malicious task titles that are embedded in notification emails...
Vikunja 跨站脚本漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.3.0 had a cross-site scripting vulnerability. This vulnerability occurred when Markdown links were embedded in task titles in overdue email notifications without special characters being...
EUVD-2022-0633
Malicious code in bioql PyPI...
DEBIAN-CVE-2023-33970
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a missing access control was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or...
PT-2023-24610 · Kanboard · Kanboard
Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.30 Description: A missing access control issue was found in Kanboard, allowing a user with the lowest privileges to leak all task and project titles, even if they are not invited or it's a personal project. This...
Kanboard 安全漏洞
Kanboard is a suite of open source visual task board software. The software has the ability to customize the panels to suit the business. A security vulnerability exists in Kanboard 1.2.29 and earlier versions, which stems from a lack of access control and allows a low-privileged user to disclose...