Vikunja Affected by XSS Via Task Preview
Description
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 1.1.0 has a stored XSS due to unsanitized task descriptions rendered via innerHTML in TaskGlanceTooltip.vue, triggered on hover.
Vulnerability
Description
CVE-2026-25935 is a stored cross-site scripting (XSS) vulnerability in Vikunja, a to-do app. The flaw resides in TaskGlanceTooltip.vue, which temporarily creates a div and sets its innerHTML to the task description. Neither server-side nor client-side escaping is performed, allowing arbitrary HTML/JavaScript injection [1][2].
Exploitation
A malicious user with the ability to share a project and create tasks can inject malicious code into a task's description. When another user hovers over the task in list view, the unsanitized description is rendered, executing the injected script in the context of the victim's browser [1][2]. No additional authentication bypass or interaction beyond hovering is required for the XSS to fire.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's session. This can lead to theft of session tokens, manipulation of tasks or projects, or other actions the legitimate user can perform, potentially compromising the entire Vikunja instance for that user [1][2].
Mitigation
The vulnerability is fixed in Vikunja version 1.1.0. All users are strongly advised to upgrade immediately [1][2][3]. No workaround is available for unaffected versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 0.24.6 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 1.1.0
Patches
1dd0b82f00a8cfix(task): use DOMParser in task glance tooltip description preview
1 file changed · +2 −4
frontend/src/components/tasks/partials/TaskGlanceTooltip.vue+2 −4 modified@@ -113,10 +113,8 @@ const descriptionPreview = computed(() => { return '' } - // Create a temporary div to extract plain text from HTML - const tempDiv = document.createElement('div') - tempDiv.innerHTML = props.task.description - const plainText = tempDiv.textContent || tempDiv.innerText || '' + const doc = new DOMParser().parseFromString(props.task.description, 'text/html') + const plainText = doc.body.textContent || '' const trimmedText = plainText.trim() if (trimmedText.length <= MAX_DESCRIPTION_LENGTH) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m4g2-2q66-vc9vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25935ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/releases/tag/v1.1.0ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9vghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v1.1.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.