CVE-2026-27116

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.

Vulnerability Details

Published Date

February 25, 2026

Last Modified

February 27, 2026

CWE ID

CWE-79

Source

NVD

Vendor

go-vikunja

Product

vikunja

External References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895
https://vikunja.io/changelog/vikunja-v2.0.0-was-released

CVE-2026-27116

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment