CVE-2026-35600
Markdown Injection in Vikunja Task Titles Enables Phishing Links
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with write access to inject phishing links and tracking pixels into legitimate overdue email notifications sent by Vikunja. Because these emails originate from a trusted source, recipients are more likely to interact with malicious content, potentially leading to unauthorized data access or tracking.
Such unauthorized data exposure and phishing risks can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and protecting users from phishing and tracking attacks.
Therefore, the vulnerability poses a risk to maintaining the confidentiality and integrity of user data and communications, which are critical aspects of these compliance standards.
Can you explain this vulnerability to me?
CVE-2026-35600 is a moderate severity HTML injection vulnerability in Vikunja, an open-source self-hosted task management platform. Before version 2.3.0, task titles were embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. This allowed attackers with write access to shared projects to inject malicious Markdown constructs into task titles.
When these malicious Markdown constructs are rendered to HTML by the goldmark library and sanitized by bluemonday (which allows <a> and <img> tags), phishing links and tracking pixels can survive sanitization and appear in legitimate notification emails. This means attackers can insert clickable phishing links or invisible tracking pixels into emails sent from the legitimate Vikunja SMTP server.
The vulnerability arises because special characters in task titles are not escaped before embedding them into Markdown link syntax, breaking the Markdown structure and enabling injection of arbitrary Markdown elements.
How can this vulnerability impact me? :
An attacker with write permissions on shared projects can exploit this vulnerability to inject phishing links or tracking pixels into overdue task notification emails sent to other project members.
Because these emails are sent from the legitimate SMTP server configured in Vikunja, recipients are more likely to trust and interact with the malicious content, increasing the risk of phishing attacks and privacy breaches through tracking pixels.
This can lead to compromised user credentials, unauthorized access, and privacy violations due to tracking of user behavior via injected pixels.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting overdue email notifications generated by Vikunja for the presence of unexpected or malicious Markdown constructs in task titles, such as malformed Markdown links or image tags that could produce phishing links or tracking pixels.
Specifically, look for task titles containing Markdown special characters like [ or ] that break the Markdown link syntax and result in injected HTML elements in the emails.
Since the vulnerability arises from unescaped Markdown in email notifications, you can search email logs or stored notification content for suspicious patterns such as:
- Markdown links with broken syntax, e.g., strings like `test](https://evil.com) [Click to verify your account`
- Image tags with external URLs, e.g., ``
Commands to detect such patterns might include grepping email content or database entries for suspicious Markdown patterns. For example, if you have access to the email notification files or database, you could run:
- grep -E '\[.*\]\(https?://.*\)' /path/to/email/notifications
- grep -E '!\[\]\(https?://.*\)' /path/to/email/notifications
Additionally, reviewing task titles in the Vikunja database for Markdown special characters before the fix can help identify potentially malicious entries.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed by escaping Markdown special characters in task titles and other user-controlled strings before rendering them in email notifications.
If upgrading immediately is not possible, consider the following interim measures:
- Restrict write access to shared projects to trusted users only, as the vulnerability requires an attacker to have write permissions to inject malicious Markdown.
- Manually sanitize or review task titles containing Markdown special characters before they are included in notifications.
- Disable or limit overdue email notifications temporarily to reduce the risk of phishing or tracking pixel injection.
Ultimately, applying the official patch or upgrading to the fixed version is the recommended and most effective mitigation.