Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35601

CVE-2026-35601: Vikunja CalDAV XSS Vulnerability

CVE-2026-35601 is an XSS flaw in Vikunja's CalDAV output generator that allows injection of arbitrary iCalendar properties. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-35601 Overview

CVE-2026-35601 is an iCalendar injection vulnerability in Vikunja, an open-source self-hosted task management platform. The CalDAV output generator in versions prior to 2.3.0 builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters can break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER.

Critical Impact

Authenticated attackers can inject malicious iCalendar properties through crafted task titles, potentially enabling phishing attacks via spoofed organizer information, malicious attachment links, or unwanted alarm notifications for calendar subscribers.

Affected Products

  • Vikunja versions prior to 2.3.0

Discovery Timeline

  • 2026-04-10 - CVE CVE-2026-35601 published to NVD
  • 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2026-35601

Vulnerability Analysis

This vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences). The flaw exists in Vikunja's CalDAV output generator, which constructs iCalendar VTODO entries by directly concatenating user-supplied task titles without proper escaping as required by RFC 5545.

The iCalendar format (RFC 5545) defines specific escape sequences for TEXT values. Special characters including backslashes, semicolons, commas, and critically CRLF sequences must be properly escaped. When the CalDAV generator fails to sanitize task titles, an attacker can inject newline characters that terminate the current property and introduce arbitrary iCalendar components.

This injection technique enables several attack scenarios: spoofing the ORGANIZER property to impersonate other users in phishing attacks, injecting malicious ATTACH URLs that calendar clients may automatically fetch, or adding VALARM components that generate intrusive notifications for all calendar subscribers.

Root Cause

The root cause is the absence of RFC 5545 TEXT value escaping in the CalDAV output generator. When building VTODO entries, the application concatenates user-controlled task title strings directly into the iCalendar output without sanitizing or escaping CRLF sequences (\r\n). This allows property boundary injection, enabling attackers to insert additional iCalendar properties or components.

Attack Vector

The attack requires network access and low-privileged authenticated access to the Vikunja instance. An attacker creates or modifies a task with a specially crafted title containing CRLF sequences followed by malicious iCalendar properties. When other users subscribe to the affected calendar via CalDAV, the injected properties are processed by their calendar clients.

The vulnerability mechanism involves crafting task titles with embedded CRLF sequences. When the CalDAV generator outputs the task as a VTODO entry, the CRLF breaks the property boundary, and subsequent content is interpreted as new iCalendar properties. For example, a task title containing CRLF followed by ORGANIZER:mailto:attacker@evil.com would inject a spoofed organizer property into the calendar output.

For detailed technical information, see the GitHub Security Advisory GHSA-2g7h-7rqr-9p4r.

Detection Methods for CVE-2026-35601

Indicators of Compromise

  • Task titles containing CRLF character sequences (\r\n or %0d%0a)
  • CalDAV output containing unexpected iCalendar properties such as ORGANIZER, ATTACH, or VALARM that don't correlate with legitimate task data
  • Calendar subscription errors or anomalies reported by users

Detection Strategies

  • Implement input validation monitoring to detect CRLF sequences in task title fields
  • Review CalDAV access logs for unusual patterns or requests following task creation/modification
  • Monitor for user reports of unexpected calendar notifications or suspicious organizer information

Monitoring Recommendations

  • Enable logging for CalDAV endpoint access and task modification events
  • Configure alerts for task titles containing control characters or CRLF sequences
  • Audit calendar exports periodically for malformed or injected iCalendar properties

How to Mitigate CVE-2026-35601

Immediate Actions Required

  • Upgrade Vikunja to version 2.3.0 or later immediately
  • Review existing task titles for potentially malicious content containing CRLF sequences
  • Audit CalDAV subscriber access and notify users who may have synced potentially compromised calendars

Patch Information

The vulnerability is fixed in Vikunja version 2.3.0. The patch implements proper RFC 5545 TEXT value escaping for user-controlled content in the CalDAV output generator. Organizations should upgrade to this version or later as soon as possible.

For patch details, see the GitHub Pull Request #2580 and download the fixed version from the GitHub Release v2.3.0.

Workarounds

  • If immediate upgrade is not possible, consider temporarily disabling CalDAV access until the patch can be applied
  • Implement input sanitization at the web application firewall level to strip CRLF sequences from task title inputs
  • Restrict CalDAV access to trusted internal users only until the vulnerability is patched
bash
# Upgrade Vikunja to patched version
# Using Docker (recommended approach):
docker pull vikunja/vikunja:2.3.0
docker stop vikunja
docker rm vikunja
docker run -d --name vikunja vikunja/vikunja:2.3.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne