CVE-2026-27116

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:26

Type Values Removed Values Added
References () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 - Vendor Advisory, Exploit () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 - Exploit, Vendor Advisory
Summary
  • (es) Vikunja es una plataforma de gestión de tareas de código abierto y autohospedada. Antes de la versión 2.0.0, existe una vulnerabilidad de inyección HTML reflejada en el módulo Proyectos, donde el parámetro URL «filter» se representa en el DOM sin codificación de salida cuando el usuario hace clic en «Filtrar». Aunque `

05 Mar 2026, 17:22

Type Values Removed Values Added
First Time Vikunja
Vikunja vikunja
References () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 - () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 - Vendor Advisory, Exploit
References () https://vikunja.io/changelog/vikunja-v2.0.0-was-released - () https://vikunja.io/changelog/vikunja-v2.0.0-was-released - Release Notes
CPE cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

25 Feb 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-02-25 22:16

Updated : 2026-06-17 10:26


NVD link : CVE-2026-27116

Mitre link : CVE-2026-27116

CVE.ORG link : CVE-2026-27116


JSON object : View

Products Affected

vikunja

  • vikunja
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)