CVE-2026-27616 — Cross-site Scripting in Vikunja

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 82.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Vikunja Code.vikunja.io API

Timeline

PublishedFeb 25

Latest updateFeb 27

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded Java…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.0.0

▶CVEListV5go-vikunja/vikunja< 2.0.0

▶Gocode.vikunja.io/api0.24.6

🔴Vulnerability Details

OSV

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api↗2026-02-27

▶

GHSA

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure↗2026-02-25

▶

OSV

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure↗2026-02-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27616 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶