CVE-2026-27116
Received Received - Intake
Reflected HTML Injection in Vikunja Projects Enables Phishing

Publication date: 2026-02-25

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction β€” enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27116
EUVD
EUVD-2026-8749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vikunja, an open-source self-hosted task management platform, prior to version 2.0.0. It is a reflected HTML injection issue in the Projects module where the 'filter' URL parameter is rendered into the DOM without proper output encoding when the user clicks "Filter."

Although certain tags like <script> and <iframe> are blocked, other tags such as <svg>, <a>, and formatting tags like <h1>, <b>, and <u> are allowed without restriction. This enables attackers to create SVG-based phishing buttons, external redirect links, and spoof content within the trusted application origin.

The issue was fixed in version 2.0.0.

Impact Analysis

This vulnerability can impact users by allowing attackers to inject malicious HTML content into the application interface. This can lead to phishing attacks using SVG-based buttons, redirect users to external malicious sites via crafted links, and spoof legitimate content within the trusted application environment.

Such attacks can deceive users into performing unintended actions or disclosing sensitive information, potentially compromising user security and trust.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in Vikunja version 2.0.0. To mitigate this vulnerability, you should upgrade your Vikunja installation to version 2.0.0 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27116. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart