4.1
CVE-2026-35601
- EPSS 0.2%
- Veröffentlicht 10.04.2026 16:08:50
- Zuletzt bearbeitet 17.04.2026 21:56:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginVikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.093 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.1 | 2.3 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
|
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
https://github.com/go-vikunja/vikunja/pull/2580
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r