CVE-2026-27819

{"id": "CVE-2026-27819", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-02-25T22:16:27.127", "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-42wg-38gx-85rh", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we\u2019ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a \"minimalist\" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. Antes de la versi\u00f3n 2.0.0, la funci\u00f3n restoreConfig en vikunja/pkg/modules/dump/restore.go del repositorio go-vikunja/vikunja no logra sanear las rutas de archivo dentro del archivo ZIP proporcionado. Un ZIP creado maliciosamente puede eludir el directorio de extracci\u00f3n previsto para sobrescribir archivos arbitrarios en el sistema anfitri\u00f3n. Adem\u00e1s, hemos descubierto que un archivo malformado desencadena un p\u00e1nico en tiempo de ejecuci\u00f3n, bloqueando el proceso inmediatamente despu\u00e9s de que la base de datos haya sido borrada permanentemente. La aplicaci\u00f3n conf\u00eda en los metadatos del archivo ZIP. Utiliza el atributo Name de la estructura zip.File directamente en las llamadas a os.OpenFile sin validaci\u00f3n, permitiendo que los archivos se escriban fuera del directorio previsto. La l\u00f3gica de restauraci\u00f3n asume una estructura de directorio espec\u00edfica dentro del ZIP. Cuando se le proporciona un ZIP malicioso 'minimalista', la aplicaci\u00f3n no logra validar la longitud de las 'slices' derivadas del contenido del archivo. Espec\u00edficamente, en la l\u00ednea 154, el c\u00f3digo intenta acceder a un \u00edndice de len(ms)-2 en una 'slice' insuficientemente poblada, desencadenando un p\u00e1nico. La versi\u00f3n 2.0.0 corrige el problema."}], "lastModified": "2026-03-05T16:32:00.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53D82FAD-8E42-40F8-A11D-1FE7EDB4620B", "versionEndExcluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}