Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-35600

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 4 days, 2 hours ago

Vikunja has HTML Injection via Task Titles in Overdue Email Notifications

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2580 x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64 x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 x_refsource_MISC

Affected products

vikunja

==< 2.3.0

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@kolaente Konrad Langenberg <k@knt.li>