CVE-2026-25935 is a cross-site scripting (XSS) vulnerability classified under CWE-80 affecting the go-vikunja vikunja todo application prior to version 1.1.0. The root cause lies in the TaskGlanceTooltip.vue component, which dynamically creates a div element and assigns the task description to its innerHtml property without any escaping or sanitization on either the client or server side. This improper neutralization of script-related HTML tags allows an attacker to inject arbitrary JavaScript code into task descriptions. When a user hovers over the malicious task's tooltip, the injected script executes in the victim’s browser context. Exploitation requires no authentication but does require user interaction (hovering over the task). The vulnerability can lead to theft of session cookies, unauthorized actions on behalf of the user, or other malicious behaviors typical of XSS attacks. The vulnerability has a CVSS 4.0 base score of 8.6 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction and causing high confidentiality and integrity impact. The issue was publicly disclosed and fixed in version 1.1.0 of vikunja. No known exploits are reported in the wild as of now.

This vulnerability poses a significant risk to organizations using vulnerable versions of vikunja, especially those relying on it for task and project management. Successful exploitation can lead to client-side script execution, enabling attackers to steal sensitive information such as authentication tokens or cookies, perform actions on behalf of the user, or deliver further malware payloads. This compromises confidentiality and integrity of user data and can facilitate lateral movement within an organization’s network if attackers gain persistent access. Since vikunja is often used in collaborative environments, the risk extends to multiple users within an organization. The requirement for user interaction (hover) slightly limits automated exploitation but does not eliminate risk, especially in environments where users frequently interact with shared tasks. The vulnerability could also be leveraged in targeted phishing or social engineering campaigns. Although no known exploits are currently reported, the high CVSS score and ease of exploitation make timely remediation critical to prevent potential attacks.

The primary mitigation is to upgrade all instances of vikunja to version 1.1.0 or later, where the vulnerability is fixed. Organizations should audit their deployments to identify any running vulnerable versions. In addition, implement strict input validation and output encoding on both client and server sides to prevent injection of malicious scripts in user-generated content. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS. Educate users about the risks of interacting with untrusted content, especially in shared project environments. Regularly monitor logs and user activity for suspicious behavior that could indicate exploitation attempts. Consider isolating or sandboxing the application to limit the scope of any successful attack. Finally, maintain an up-to-date inventory of software components and apply security patches promptly.