{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27116", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-25T21:33:50.448Z", "dateUpdated": "2026-02-25T21:38:05.386Z"}, "containers": {"cna": {"title": "Vikunja has Reflected HTML Injection via filter Parameter in Projects Module", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895"}, {"name": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:33:50.448Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction \u2014 enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue."}], "source": {"advisory": "GHSA-4qgr-4h56-8895", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:37:18.678129Z", "id": "CVE-2026-27116", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:38:05.386Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27116", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:37:18.678129Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:37:32.694Z"}}], "cna": {"title": "Vikunja has Reflected HTML Injection via filter Parameter in Projects Module", "source": {"advisory": "GHSA-4qgr-4h56-8895", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction \u2014 enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:33:50.448Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27116", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:38:05.386Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T21:33:50.448Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "53D82FAD-8E42-40F8-A11D-1FE7EDB4620B", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction \u2014 enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue."}], "id": "CVE-2026-27116", "lastModified": "2026-03-05T17:22:12.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T22:16:24.723", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-18T10:33:03.894480+00:00", "value": {"mitigation_remediation": ["Apply the official 2.0.0 release or later to remove the unfiltered rendering of the filter parameter", "Configure a strict Content Security Policy that disallows execution of inline scripts and restricts loading of external resources", "Validate or sanitize the \u2018filter\u2019 parameter on both client\u2011 and server\u2011side, stripping disallowed tags such as <svg>, <a> and other markup before rendering"], "summary": {"action": "Immediate Patch", "impact": "Reflected XSS allowing phishing and content spoofing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Vikunja earlier than 2.0.0. Users running any 1.x or pre\u20112.0.0 release are at risk because the Projects module does not perform output encoding for the \u2018filter\u2019 URL parameter.", "description_and_impact": "Vikunja\u2019s Projects module renders the URL query parameter \u2018filter\u2019 into the page without proper output encoding. Although common executable tags are blocked, tags such as <svg>, <a>, and formatting elements (<h1>, <b>, <u>) are rendered unfiltered, enabling attackers to inject malicious SVG-based phishing buttons, external redirect links and visually deceptive content within the trusted application origin. This is a reflected cross\u2011site scripting vulnerability (CWE\u201179, CWE\u201180).", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity. The EPSS score is below 1\u202f%, suggesting exploitation is unlikely but still feasible, especially if users are tricked into entering malicious filter values or if the application is exposed to unknown users. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious URL with a harmful \u2018filter\u2019 parameter and luring a victim to visit it within the application context. Because the reflected content is displayed inside the same origin, the impact is limited to information disclosure, UI spoofing and phishing, rather than remote code execution."}}}}, "created": "2026-02-26T13:10:53.300178+00:00", "updated": "2026-04-18T10:45:43.648457+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}