CVE-2026-25935 Overview
CVE-2026-25935 is a stored Cross-Site Scripting (XSS) vulnerability affecting Vikunja, an open-source todo-app for life organization. The vulnerability exists in the TaskGlanceTooltip.vue component, which temporarily creates a div element and sets the innerHTML to the task description without proper input sanitization or escaping. This allows a malicious user to inject arbitrary JavaScript code through task descriptions in shared projects.
Critical Impact
A malicious actor can share a project containing a crafted task description that executes arbitrary JavaScript in the browser of any user who hovers over the task, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the victim.
Affected Products
- Vikunja versions prior to 1.1.0
Discovery Timeline
- 2026-02-11 - CVE CVE-2026-25935 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-25935
Vulnerability Analysis
This stored XSS vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) occurs due to missing input validation on both the server and client sides of the Vikunja application. The TaskGlanceTooltip.vue component is designed to display task information when users hover over tasks in the interface. However, the component directly renders user-supplied task description content using the innerHTML property without any sanitization or encoding.
The attack scenario requires a malicious user to have project sharing capabilities. Once a project is shared with a victim, the attacker can create a task with a specially crafted description containing malicious JavaScript. When the victim hovers over this task, the malicious script executes in the context of the victim's browser session, giving the attacker access to sensitive data including session tokens, cookies, and the ability to perform actions as the authenticated user.
Root Cause
The root cause of this vulnerability is the improper handling of user-supplied content in the Vue.js component. The TaskGlanceTooltip.vue component uses direct innerHTML assignment to render task descriptions, bypassing Vue's built-in XSS protections that would normally escape HTML entities when using template interpolation. Without server-side sanitization and without proper client-side escaping, any HTML or JavaScript embedded in task descriptions is rendered and executed by the browser.
Attack Vector
The attack vector is network-based and requires user interaction (hover action). An attacker must have the ability to create and share projects within the Vikunja application. The attack flow involves:
- The attacker creates or gains access to a Vikunja account
- The attacker creates a new project and shares it with the target victim
- Within the shared project, the attacker creates a task with a malicious description containing JavaScript code (e.g., <script> tags or event handlers like <img onerror="...">)
- When the victim views the shared project and hovers over the malicious task, the tooltip renders the description via innerHTML, executing the embedded script
The vulnerability allows attackers to steal session tokens, redirect users to phishing pages, modify application data, or perform any action the victim is authorized to perform within Vikunja.
Detection Methods for CVE-2026-25935
Indicators of Compromise
- Unusual task descriptions containing HTML tags such as <script>, <img>, <iframe>, or event handlers like onerror, onload, onmouseover
- Unexpected outbound requests from user browsers to unknown external domains
- Shared projects from untrusted or unknown users containing suspicious task content
- User reports of unexpected browser behavior when interacting with shared projects
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor application logs for task creation events containing HTML or script-like content patterns
- Deploy web application firewalls (WAF) configured with XSS detection rules to identify malicious payloads
- Conduct regular security audits of shared project content to identify potentially malicious task descriptions
Monitoring Recommendations
- Enable browser console logging and monitoring for CSP violation reports
- Monitor network traffic for unusual data exfiltration patterns from user sessions
- Implement real-time alerting for task descriptions matching known XSS payload signatures
- Track sharing activity and flag projects shared by users with suspicious behavior patterns
How to Mitigate CVE-2026-25935
Immediate Actions Required
- Upgrade Vikunja to version 1.1.0 or later immediately
- Audit existing shared projects and tasks for malicious content containing script tags or event handlers
- Advise users to avoid hovering over tasks in projects shared by untrusted sources until the patch is applied
- Implement Content Security Policy headers as an additional defense layer
Patch Information
The vulnerability has been fixed in Vikunja version 1.1.0. The patch addresses the improper HTML handling in the TaskGlanceTooltip.vue component by implementing proper input sanitization and escaping. For detailed information about the fix, refer to the GitHub commit update and the GitHub Security Advisory GHSA-m4g2-2q66-vc9v. The Vikunja v1.1.0 release and changelog provide additional details about this security update.
Workarounds
- Implement Content Security Policy headers with strict script-src directives to prevent inline script execution
- Restrict project sharing capabilities to trusted users only until the upgrade can be completed
- Deploy a reverse proxy or WAF with XSS filtering enabled to sanitize potentially malicious content
- Educate users about the risks of interacting with content from untrusted shared projects
# Example Content Security Policy header configuration for Nginx
# Add to your Vikunja server configuration as a temporary mitigation
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
