CVE-2026-35601

Exploit

EPSS 0.03%
Veröffentlicht 10.04.2026 16:08:50
Zuletzt bearbeitet 17.04.2026 21:56:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vikunja ≫ Vikunja Version < 2.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.081

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0

Release Notes

https://github.com/go-vikunja/vikunja/pull/2580

Issue Tracking

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-35601

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35601

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35601

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35601