CVE-2026-25935

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 1.1.0

Description Vikunja, a todo-app, contains a cross-site scripting (XSS) issue in the task preview mechanism. The TaskGlanceTooltip.vue component creates a temporary div and sets its innerHtml to the task description without proper escaping. This allows a malicious user to create a task with a crafted description containing unescaped HTML, which can execute arbitrary JavaScript code when another user hovers over the task. The vulnerable code is located at line 118 of TaskGlanceTooltip.vue. The issue can be triggered by updating a task description via the API with malicious HTML, sharing the project, and having a user view the task. The innerHtml property is directly set with the unescaped description.

Recommendations Versions prior to 1.1.0 should be updated to version 1.1.0 or later.