What is CVE-2026-35600?

CVE-2026-35600 is a medium-severity vulnerability in Go-vikunja Vikunja, classified under Cross-site Scripting. CVSS score: 5.4/10. Published 2026-04-10.

How severe is CVE-2026-35600?

Medium severity. CVSS v3 base score is 5.4 out of 10.

XSS in Go-vikunja Vikunja

CVE-2026-35600

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldm…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Affected products

Go-vikunja Vikunja — versions < 2.3.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj (x_refsource_CONFIRM)
https://github.com/go-vikunja/vikunja/pull/2580 (x_refsource_MISC)
https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64 (x_refsource_MISC)
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-35600?: CVE-2026-35600 is a medium-severity vulnerability in Go-vikunja Vikunja, classified under Cross-site Scripting. CVSS score: 5.4/10. Published 2026-04-10.
How severe is CVE-2026-35600?: Medium severity. CVSS v3 base score is 5.4 out of 10.