CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

CVE-2026-35600 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...

GHSA-45Q4-X4R9-8FQJ Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...

PT-2026-31951

Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags, injected Markdown constructs produce phishing links and tracking pixels in...

Vikunja 跨站脚本漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.3.0 had a cross-site scripting vulnerability. This vulnerability occurred when Markdown links were embedded in task titles in overdue email notifications without special characters being...

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

The Federal Trade Commission FTC has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data. Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive...

Facebook introduces another way to track you – Link History

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History. Link History allows users to view and re-visit links they have visited with their Facebook browsing activity. Obviously Facebook will te...

Acquia Mautic Cross-Site Scripting (CVE-2022-25772)

A cross-site scripting vulnerability exists in Mautic. The vulnerability is due to improperly sanitized user metadata collected from tracking pixels...

Doctrack - Tool To Manipulate And Insert Tracking Pixels Into Office Open XML Documents (Word, Excel)

Tool to manipulate and insert tracking pixels into Office Open XML documents. Features Insert tracking pixels into Office Open XML documents Word and Excel Inject template URL for remote template injection attack Inspect external target URLs and metadata Create Office Open XML documents TODO...