GHSA-m4g2-2q66-vc9v

Source

https://github.com/advisories/GHSA-m4g2-2q66-vc9v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-m4g2-2q66-vc9v/GHSA-m4g2-2q66-vc9v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m4g2-2q66-vc9v

Aliases

Published

2026-02-11T18:39:34Z

Modified

2026-02-19T20:40:57.637800Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Vikunja Vulnerable to XSS Via Task Preview

Details

Summary

The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task

Details

In the TaskGlanceTooltip.vue it temporarily creates a div and sets the innerHtml to the description here. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover.

PoC

Create a project
Create a task with any description
Use the api to update the task with a description containing unescaped HTML (ex: <img src=x onerror="alert(localStorage.getItem('token'))">
Share the project with any permission level
Send malicious project to user and ask them to view task

Impact

Any user on an instance can cause an XSS on another

Database specific

{
    "nvd_published_at": "2026-02-11T21:16:20Z",
    "github_reviewed_at": "2026-02-11T18:39:34Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Go / code.vikunja.io/api

Package

Name: code.vikunja.io/api; View open source insights on deps.dev
Purl: pkg:golang/code.vikunja.io/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.24.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-m4g2-2q66-vc9v/GHSA-m4g2-2q66-vc9v.json"