CVE-2026-27116
published 2026-02-25CVE-2026-27116: Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.22%
12.5th percentile
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | 0 – 0.24.6 | — |
| go-vikunja | vikunja | < 2.0.0 | 2.0.0 |
| vikunja | vikunja | < 2.0.0 | 2.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
osv·2026-02-27
CVE-2026-27116 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api
OSV
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
osv·2026-02-25
CVE-2026-27116 [MEDIUM] Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
## Summary
[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.
**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks "Filter" (standard UI action) → phishing conte
GHSA
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
ghsa·2026-02-25
CVE-2026-27116 [MEDIUM] CWE-116 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
## Summary
[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.
**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks "Filter" (standard UI action) → phishing conte
No detection rules found.
No public exploits indexed.
2026-02-25
Published