Vikunja has an iCalendar Property Injection via CRLF in CalDAV...

4.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

Basic Information

ID CVE-2026-35601

Source GitHub_M

Published Apr 10, 2026 at 16:08

Affected Product

Vendor go-vikunja

Product vikunja

Version < 2.3.0

Affected Versions go-vikunja vikunja < 2.3.0

CWE Classification

CWE-93

References

{
    "lastseen": "",
    "description": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.",
    "published": "2026-04-10T16:08:50.519Z",
    "modified": "2026-04-10T16:08:50.519Z",
    "type": "cve",
    "title": "Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output",
    "source": "GitHub_M",
    "references": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r\nhttps://github.com/go-vikunja/vikunja/pull/2580\nhttps://github.com/go-vikunja/vikunja/releases/tag/v2.3.0",
    "id": "CVE-2026-35601",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "go-vikunja vikunja < 2.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vikunja",
    "version": "< 2.3.0",
    "vendor": "go-vikunja",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output_CVE-2026-35601