CVE-2026-27116 — Cross-site Scripting in Vikunja

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-116 — Improper Encoding or Escaping of Output5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 98.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Vikunja Code.vikunja.io API

Timeline

PublishedFeb 25

Latest updateFeb 27

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `` and `` are blocked, ``, ``, and formatting tags (``, ``, ``) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.0.0

▶CVEListV5go-vikunja/vikunja< 2.0.0

▶Gocode.vikunja.io/api0.24.6

🔴Vulnerability Details

OSV

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api↗2026-02-27

▶

OSV

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module↗2026-02-25

▶

GHSA

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module↗2026-02-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27116 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶