CVE-2026-27819Path Traversal in Vikunja

CWE-22Path TraversalCWE-248Uncaught Exception5 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.0%
top 87.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Go-vikunja VikunjaVikunjaCode.vikunja.io API
Timeline
PublishedFeb 25
Latest updateFeb 27

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the da

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

NVDvikunja/vikunja< 2.0.0
CVEListV5go-vikunja/vikunja< 2.0.0

🔴Vulnerability Details

3
OSV
Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api2026-02-27
OSV
Vikunja has Path Traversal in CLI Restore2026-02-26
GHSA
Vikunja has Path Traversal in CLI Restore2026-02-26

🕵️Threat Intelligence

1
Wiz
CVE-2026-27819 Impact, Exploitability, and Mitigation Steps | Wiz