CVE-2026-35601

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description Vikunja, a self-hosted task management platform, has an issue where the CalDAV output generator doesn't properly escape characters in iCalendar VTODO entries. Specifically, user-controlled task titles containing CRLF (carriage return and line feed) characters can break the iCalendar property boundary. This allows for the injection of arbitrary iCalendar properties like ATTACH, VALARM, or ORGANIZER. The ParseTodos function at pkg/caldav/caldav.go:146 concatenates the task summary directly into the iCalendar output without applying necessary escaping. This can lead to the injection of malicious attachment URLs, fake alarm notifications, or spoofing of organizer identity. The vulnerability is present in versions before 2.3.0.

Recommendations Update to version 2.3.0 or later.