DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25935: Vikunja XSS: When 'Just Looking' Gets You Pwned

#security #cve #cybersecurity

Vikunja XSS: When 'Just Looking' Gets You Pwned

Vulnerability ID: CVE-2026-25935
CVSS Score: 8.6
Published: 2026-02-11

A high-severity Cross-Site Scripting (XSS) vulnerability was discovered in Vikunja, the open-source todo application. The flaw resides in the task preview mechanism, where the application improperly utilized the DOM to strip HTML tags from task descriptions. By leveraging a detached DOM element and the innerHTML property, an attacker can execute arbitrary JavaScript simply by convincing a victim to hover over a malicious task.

TL;DR

Hovering over a task in Vikunja < 1.1.0 triggers a stored XSS via the 'glance' tooltip. The app tried to strip HTML tags using innerHTML on a detached div, effectively executing the payload it meant to sanitize.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-80
  • CVSS 4.0: 8.6 (High)
  • Attack Vector: Network
  • User Interaction: Passive (Hover)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Vikunja Frontend < 1.1.0
  • Vikunja: < 1.1.0 (Fixed in: 1.1.0)

Code Analysis

Commit: dd0b82f

fix: use domparser instead of innerhtml to strip html tags

- const tempDiv = document.createElement('div')
- tempDiv.innerHTML = props.task.description
- return tempDiv.textContent || tempDiv.innerText || ''
+ const doc = new DOMParser().parseFromString(props.task.description, 'text/html')
+ return doc.body.textContent || ''
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Official advisory containing the vulnerability description and fix

Mitigation Strategies

  • Upgrade to Vikunja v1.1.0 or later immediately.
  • Implement Content Security Policy (CSP) to restrict where scripts can be loaded from and where data can be sent.
  • Use DOMPurify for any HTML rendering or manipulation in frontend code.

Remediation Steps:

  1. Pull the latest docker image: docker pull vikunja/vikunja
  2. Restart the Vikunja container.
  3. Verify the version in the frontend settings.

References

Read the full report for CVE-2026-25935 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)