CVE-2026-27116
Received Received - Intake
Reflected HTML Injection in Vikunja Projects Enables Phishing

Publication date: 2026-02-25

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction β€” enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-05
Generated
2026-05-27
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-26
NVD
CVE-2026-27116
EUVD
EUVD-2026-8749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Vikunja, an open-source self-hosted task management platform, prior to version 2.0.0. It is a reflected HTML injection issue in the Projects module where the 'filter' URL parameter is rendered into the DOM without proper output encoding when the user clicks "Filter."

Although certain tags like <script> and <iframe> are blocked, other tags such as <svg>, <a>, and formatting tags like <h1>, <b>, and <u> are allowed without restriction. This enables attackers to create SVG-based phishing buttons, external redirect links, and spoof content within the trusted application origin.

The issue was fixed in version 2.0.0.


How can this vulnerability impact me? :

This vulnerability can impact users by allowing attackers to inject malicious HTML content into the application interface. This can lead to phishing attacks using SVG-based buttons, redirect users to external malicious sites via crafted links, and spoof legitimate content within the trusted application environment.

Such attacks can deceive users into performing unintended actions or disclosing sensitive information, potentially compromising user security and trust.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Vikunja version 2.0.0. To mitigate this vulnerability, you should upgrade your Vikunja installation to version 2.0.0 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart