CVE-2026-27116: Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks “Filter.” While <script> and <iframe> are blocked, <svg>, <a>, and formatting tags (<h1>, <b>, <u>) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.
Attack flow: Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks “Filter” (standard UI action) → phishing content renders inside trusted Vikunja interface.
References
- cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html
- github.com/advisories/GHSA-4qgr-4h56-8895
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/a42b4f37bde58596a3b69482cd5a67641a94f62d
- github.com/go-vikunja/vikunja/releases/tag/v2.0.0
- github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895
- nvd.nist.gov/vuln/detail/CVE-2026-27116
Code Behaviors & Features
Detect and mitigate CVE-2026-27116 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →