CVE-2026-25935: Vikunja XSS: When 'Just Looking' Gets You Pwned

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: CVE-2026-25935
• CVSS Score: 8.6 (High)
• Published: 2026-02-11
• CWE: CWE-80
• Attack Vector: Network
• User Interaction: Passive (Hover)
• Exploit Status: PoC Available
• KEV Status: Not Listed

Affected Versions

• Vikunja Frontend “. This approach allowed an attacker to inject arbitrary JavaScript that executes when a victim hovers over a task, triggering the “glance” tooltip.

Technical Details

The vulnerable code:

- const tempDiv = document.createElement('div')
- tempDiv.innerHTML = props.task.description
- return tempDiv.textContent || tempDiv.innerText || ''
+ const doc = new DOMParser().parseFromString(props.task.description, 'text/html')
+ return doc.body.textContent || ''

The fix replaces the innerHTML‑based sanitisation with a DOMParser approach, which safely extracts text content without executing embedded scripts.

Remediation

1. Upgrade to Vikunja v1.1.0 or later.

2. Pull the latest Docker image:

   docker pull vikunja/vikunja

3. Restart the Vikunja container.

4. Verify the version in the frontend settings.

5. Implement a Content Security Policy (CSP) to restrict script sources and data destinations.

6. Use a sanitisation library such as DOMPurify for any HTML rendering or manipulation in frontend code.

References

• GitHub Advisory (GHSA‑m4g2‑2q66‑vc9v)
• Vikunja v1.1.0 Release Notes
• Full report for CVE‑2026‑25935 (available on the vendor’s website).