CVE-2026-35600 Overview
CVE-2026-35600 is a Cross-Site Scripting (XSS) vulnerability affecting Vikunja, an open-source self-hosted task management platform. Prior to version 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails.
Critical Impact
Attackers can inject malicious Markdown into task titles, resulting in phishing links and tracking pixels being rendered in legitimate overdue notification emails sent to users.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- April 10, 2026 - CVE CVE-2026-35600 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35600
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how Vikunja processes task titles when generating overdue email notifications. The application fails to properly escape Markdown special characters before embedding task titles into Markdown link syntax within email content.
When the email content is subsequently processed by the goldmark Markdown renderer and sanitized by bluemonday, the injected Markdown constructs are interpreted and rendered as valid HTML elements. Since bluemonday's configuration allows <a> (anchor) and <img> (image) tags, attackers can leverage this to inject phishing links that appear legitimate within the context of official notification emails, as well as tracking pixels that can be used to monitor when users open emails.
Root Cause
The root cause of this vulnerability is improper input validation and insufficient output encoding. Task titles containing Markdown special characters are directly concatenated into Markdown link syntax without sanitization. The combination of goldmark rendering and bluemonday's permissive tag allowlist (specifically <a> and <img> tags) enables the injected content to be rendered as functional HTML elements in the email output.
Attack Vector
The attack is network-based and requires low privileges (authenticated user access to create tasks). An attacker with the ability to create or modify task titles can craft a malicious task title containing Markdown injection payloads. When the task becomes overdue and triggers an email notification to assigned users, the malicious content is rendered within the legitimate notification email.
The attack scenario involves:
- An authenticated attacker creates a task with a specially crafted title containing Markdown injection syntax
- The task is assigned to a victim user and configured to become overdue
- When Vikunja sends the overdue notification email, the malicious Markdown is rendered
- The victim receives what appears to be a legitimate Vikunja notification but contains phishing links or tracking pixels
This can be used for credential phishing by embedding links that appear to point to Vikunja but actually redirect to attacker-controlled sites, or for reconnaissance via tracking pixels that notify the attacker when emails are opened.
Detection Methods for CVE-2026-35600
Indicators of Compromise
- Unusual task titles containing Markdown special characters such as [, ], (, ), or !
- Email notifications containing unexpected external links or image references
- Task titles with embedded URL patterns or image syntax that don't match legitimate task naming conventions
- Reports from users about suspicious links in Vikunja notification emails
Detection Strategies
- Review task creation and modification logs for titles containing Markdown injection patterns
- Implement content analysis on outbound email notifications to detect suspicious link destinations
- Monitor for tasks created with titles matching regex patterns indicative of Markdown injection (e.g., !\[.*\]\(http.*\) or \[.*\]\(http.*\))
- Audit user accounts that have created tasks with unusual character sequences in titles
Monitoring Recommendations
- Enable logging for all task creation and modification events with full title content
- Implement email security solutions that scan outbound notifications for phishing indicators
- Configure alerts for task titles exceeding normal length or containing URL-like patterns
- Establish baseline patterns for legitimate task naming and alert on anomalies
How to Mitigate CVE-2026-35600
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review recently created tasks for suspicious titles containing Markdown syntax
- Inform users about potential phishing attempts via Vikunja notification emails
- Consider temporarily disabling overdue email notifications until patched
Patch Information
The vulnerability has been fixed in Vikunja version 2.3.0. The fix involves properly escaping Markdown special characters in task titles before embedding them into email notification content.
Detailed patch information is available through the following resources:
- GitHub Security Advisory GHSA-45q4-x4r9-8fqj
- GitHub Pull Request #2580
- GitHub Commit 0f3730d
- GitHub Release v2.3.0
Workarounds
- Implement input validation at the application or reverse proxy level to reject task titles containing Markdown special characters
- Configure email security gateways to strip or neutralize links and images in outbound Vikunja notifications
- Temporarily disable overdue email notifications via Vikunja configuration until the upgrade can be performed
- Restrict task creation permissions to trusted users only until patched
# Configuration example
# Upgrade Vikunja to patched version
# Using Docker:
docker pull vikunja/vikunja:2.3.0
docker stop vikunja-container
docker rm vikunja-container
docker run -d --name vikunja-container vikunja/vikunja:2.3.0
# Or using binary release - download from GitHub releases
wget https://github.com/go-vikunja/vikunja/releases/download/v2.3.0/vikunja-linux-amd64
chmod +x vikunja-linux-amd64
systemctl stop vikunja
mv vikunja-linux-amd64 /usr/local/bin/vikunja
systemctl start vikunja
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
