ByteOS Network

NVD Vulnerability Details :

CVE-2026-27116

Awaiting Analysis

Source-security-advisories@github.com

Published At-25 Feb, 2026 | 22:16

Updated At-27 Feb, 2026 | 14:06

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	security-advisories@github.com
CWE-80	Primary	security-advisories@github.com

CWE ID: CWE-79

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-80

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895	security-advisories@github.com	N/A
https://vikunja.io/changelog/vikunja-v2.0.0-was-released	security-advisories@github.com	N/A

Hyperlink: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895

Source: security-advisories@github.com

Resource: N/A

Hyperlink: https://vikunja.io/changelog/vikunja-v2.0.0-was-released

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History