CVE-2026-35600

Name of the Vulnerable Software and Affected Versions: Vikunja versions prior to 2.3.0

Description: Vikunja, a self-hosted task management platform, was found to have an issue where task titles were directly embedded into Markdown link syntax in overdue email notifications without proper escaping of Markdown special characters. This allowed for the injection of malicious Markdown constructs, such as phishing links and tracking pixels, into legitimate notification emails when rendered by goldmark and sanitized by bluemonday. The vulnerable code was located at pkg/models/notifications.go:360 and affected multiple notification types at lines 72, 176, 227, and 318 of the notifications.go file. An attacker with write access to a shared project could exploit this to send emails containing links to evil.com or tracking pixels. The vulnerability is due to the use of the <a> and <img> tags allowed by bluemonday's UGCPolicy.

Recommendations: Upgrade to Vikunja version 2.3.0 or later to resolve this issue. As a temporary workaround, escape Markdown special characters in task titles before embedding them in Markdown content using a function like escapeMarkdown().