Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
References
| Link | Resource |
|---|---|
| https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 | Vendor Advisory Exploit |
| https://vikunja.io/changelog/vikunja-v2.0.0-was-released | Release Notes |
Configurations
History
05 Mar 2026, 17:22
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Vikunja
Vikunja vikunja |
|
| References | () https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895 - Vendor Advisory, Exploit | |
| References | () https://vikunja.io/changelog/vikunja-v2.0.0-was-released - Release Notes | |
| CPE | cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* |
25 Feb 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-25 22:16
Updated : 2026-03-05 17:22
NVD link : CVE-2026-27116
Mitre link : CVE-2026-27116
CVE.ORG link : CVE-2026-27116
JSON object : View
Products Affected
vikunja
- vikunja