CVE-2026-35601 MEDIUM

CVE-2026-35601: Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vendor Go-Vikunja
Product vikunja
Weakness CWE-93 · CRLF injection
Published April 10, 2026
Last update April 13, 2026

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 13, 2026 Record updated