CVE-2026-25935
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Vikunja TaskGlanceTooltip.vue Allows Code Execution on Hover

Publication date: 2026-02-11

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25935
EUVD
EUVD-2026-6205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25935 is a high-severity Cross-Site Scripting (XSS) vulnerability in the Vikunja todo-app affecting versions up to 1.0.0. The vulnerability occurs because the TaskGlanceTooltip.vue component creates a temporary div element and sets its innerHTML directly to the task description without any escaping or sanitization on either the client or server side.

This allows a malicious user to inject arbitrary HTML or JavaScript code into a task description. When a victim user hovers over the malicious task preview, the injected script executes in their browser context, potentially leading to unauthorized actions or data theft.

The vulnerability is fixed in Vikunja version 1.1.0.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including the execution of arbitrary scripts in the victim's browser, which can lead to the exfiltration of sensitive data such as authentication tokens."}, {'type': 'paragraph', 'content': 'An attacker can inject malicious code into task descriptions and cause it to run when other users hover over the task preview, potentially compromising confidentiality and integrity of user data.'}, {'type': 'list_item', 'content': 'High impact on confidentiality: sensitive data can be stolen.'}, {'type': 'list_item', 'content': 'High impact on integrity: unauthorized modification of data is possible.'}, {'type': 'paragraph', 'content': 'No impact on availability has been reported.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying task descriptions containing unescaped HTML or JavaScript code that could trigger Cross-Site Scripting (XSS) when previewed. Specifically, look for tasks with descriptions including HTML tags such as <img> with event handlers like onerror.

Since the vulnerability triggers when a user hovers over a malicious task preview, network detection could involve monitoring for suspicious payloads in task descriptions or unusual script execution attempts in client browsers.

There are no explicit commands provided in the resources to detect this vulnerability on your system or network.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Vikunja to version 1.1.0 or later, which contains the fix for CVE-2026-25935.

The fix involves replacing the vulnerable method of rendering task descriptions that used innerHTML with a safer approach using the DOMParser API to extract plain text, preventing script injection.

Users should replace the Vikunja binary with the updated release or pull the latest Docker image containing version 1.1.0.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart