What is CVE-2026-25935?

### Summary The task preview component creates a unparented div. The div's `innerHtml` is set to the unescaped description of the task ### Details In the `TaskGlanceTooltip.vue` it temporarily creates a div and sets the `innerHtml` to the description [here](https://github.com/go-vikunja/vikunja/blob/cdca79032526966cb248b72bddcf2a0f888c8a8f/frontend/src/components/tasks/partials/TaskGlanceTooltip.vue#L118). Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. ### PoC 1. Create a project 2. Create a task with any description 3. Use the api to update the task with a description containing unescaped HTML (ex: ` ` 4. Share the project with any permission level 5. Send malicious project to user and ask them to view task ### Impact Any user on an instance can cause an XSS on another

What is the severity of CVE-2026-25935?

CVE-2026-25935 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25935?

No known public exploits are currently available for CVE-2026-25935.

Is there a patch available for CVE-2026-25935?

Yes, patches are available for CVE-2026-25935. Check the vendor advisories for update instructions.

CVE-2026-25935 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task

Details

In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover.

PoC

Create a project
Create a task with any description
Use the api to update the task with a description containing unescaped HTML (ex: <img src=x onerror="alert(localStorage.getItem('token'))">
Share the project with any permission level
Send malicious project to user and ask them to view task

Impact

Any user on an instance can cause an XSS on another

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com