Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS allowing phishing and content spoofing
Action: Immediate Patch
AI Analysis

Impact

Vikunja’s Projects module renders the URL query parameter ‘filter’ into the page without proper output encoding. Although common executable tags are blocked, tags such as <svg>, <a>, and formatting elements (<h1>, <b>, <u>) are rendered unfiltered, enabling attackers to inject malicious SVG-based phishing buttons, external redirect links and visually deceptive content within the trusted application origin. This is a reflected cross‑site scripting vulnerability (CWE‑79, CWE‑80).

Affected Systems

The vulnerability affects all versions of Vikunja earlier than 2.0.0. Users running any 1.x or pre‑2.0.0 release are at risk because the Projects module does not perform output encoding for the ‘filter’ URL parameter.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score is below 1 %, suggesting exploitation is unlikely but still feasible, especially if users are tricked into entering malicious filter values or if the application is exposed to unknown users. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious URL with a harmful ‘filter’ parameter and luring a victim to visit it within the application context. Because the reflected content is displayed inside the same origin, the impact is limited to information disclosure, UI spoofing and phishing, rather than remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official 2.0.0 release or later to remove the unfiltered rendering of the filter parameter
  • Configure a strict Content Security Policy that disallows execution of inline scripts and restricts loading of external resources
  • Validate or sanitize the ‘filter’ parameter on both client‑ and server‑side, stripping disallowed tags such as <svg>, <a> and other markup before rendering

Generated by OpenCVE AI on April 18, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4qgr-4h56-8895 Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
History

Thu, 05 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
Title Vikunja has Reflected HTML Injection via filter Parameter in Projects Module
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:38:05.386Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27116

cve-icon Vulnrichment

Updated: 2026-02-25T21:37:32.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:24.723

Modified: 2026-03-05T17:22:12.283

Link: CVE-2026-27116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses