CVE-2026-27116 MEDIUM

CVE-2026-27116: Vikunja has Reflected HTML Injection via filter Parameter in Projects Module

Vendor Go-Vikunja
Product vikunja
Weakness CWE-79 · XSS
Published February 25, 2026
Last update February 25, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 25, 2026 Record updated