CVE-2026-25935
Stored XSS in Vikunja TaskGlanceTooltip.vue Allows Code Execution on Hover
Publication date: 2026-02-11
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25935 is a high-severity Cross-Site Scripting (XSS) vulnerability in the Vikunja todo-app affecting versions up to 1.0.0. The vulnerability occurs because the TaskGlanceTooltip.vue component creates a temporary div element and sets its innerHTML directly to the task description without any escaping or sanitization on either the client or server side.
This allows a malicious user to inject arbitrary HTML or JavaScript code into a task description. When a victim user hovers over the malicious task preview, the injected script executes in their browser context, potentially leading to unauthorized actions or data theft.
The vulnerability is fixed in Vikunja version 1.1.0.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including the execution of arbitrary scripts in the victim's browser, which can lead to the exfiltration of sensitive data such as authentication tokens."}, {'type': 'paragraph', 'content': 'An attacker can inject malicious code into task descriptions and cause it to run when other users hover over the task preview, potentially compromising confidentiality and integrity of user data.'}, {'type': 'list_item', 'content': 'High impact on confidentiality: sensitive data can be stolen.'}, {'type': 'list_item', 'content': 'High impact on integrity: unauthorized modification of data is possible.'}, {'type': 'paragraph', 'content': 'No impact on availability has been reported.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying task descriptions containing unescaped HTML or JavaScript code that could trigger Cross-Site Scripting (XSS) when previewed. Specifically, look for tasks with descriptions including HTML tags such as <img> with event handlers like onerror.
Since the vulnerability triggers when a user hovers over a malicious task preview, network detection could involve monitoring for suspicious payloads in task descriptions or unusual script execution attempts in client browsers.
There are no explicit commands provided in the resources to detect this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Vikunja to version 1.1.0 or later, which contains the fix for CVE-2026-25935.
The fix involves replacing the vulnerable method of rendering task descriptions that used innerHTML with a safer approach using the DOMParser API to extract plain text, preventing script injection.
Users should replace the Vikunja binary with the updated release or pull the latest Docker image containing version 1.1.0.