Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.
Published: 2026-02-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Immediate Patch
AI Analysis

Impact

A malformed ZIP archive processed by Vikunja's CLI restore command fails to sanitize file paths, allowing files to be written outside the intended extraction directory and thereby enabling arbitrary file overwrite on the host system; the vulnerability can also trigger a runtime panic that crashes the process and wipes the database immediately after restoration, resulting in denial of service. This weakness manifests as a Path Traversal flaw (CWE-22) and a Crash via unchecked slice bounds (CWE-248).

Affected Systems

All installations of the Vikunja task-management platform built from the go-vikunja/vikunja repository that use a version older than 2.0.0. The affected component is the CLI restore command in the modules/dump/restore.go module. Self-hosted deployments running any pre-2.0.0 release are vulnerable when processing a malicious ZIP archive during restoration.

Risk and Exploitability

The vulnerability has a CVSS v3.1 base score of 7.2, indicating a high impact severity. The EPSS score is below 1%, implying a very low current exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector requires an attacker able to run the restore command locally or to supply a crafted ZIP archive to a system that accepts restoration; the manipulation of the zip file enables overwriting of arbitrary files, which could lead to privilege escalation or code injection, and the induced crash can cause service disruption and data loss. Proper privilege isolation of the restore process and sanitization of archive paths mitigate these risks.

Generated by OpenCVE AI on April 17, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Vikunja release (2.0.0 or newer) where the restore function sanitizes file paths and validates archive structure.
  • Restrict execution of the restore CLI to trusted users or environments; ensure the command is not exposed to untrusted input sources.
  • Validate or sanitize ZIP archive contents before invoking restore; disallow paths containing '..' or absolute components and check slice lengths to prevent runtime panics.
  • Consider disabling or removing the restore functionality if it is not required for your deployment.

Generated by OpenCVE AI on April 17, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-42wg-38gx-85rh Vikunja has Path Traversal in CLI Restore
History

Thu, 05 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Fri, 27 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Wed, 25 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.
Title Vikunja has Path Traversal in CLI Restore
Weaknesses CWE-22
CWE-248
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:24:45.237Z

Reserved: 2026-02-24T02:32:39.799Z

Link: CVE-2026-27819

cve-icon Vulnrichment

Updated: 2026-02-26T20:24:34.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:27.127

Modified: 2026-03-05T16:32:00.220

Link: CVE-2026-27819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses