Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-27616
Awaiting Analysis
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-25 Feb, 2026 | 22:16
Updated At-27 Feb, 2026 | 14:06

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as <script> tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded JavaScript executes in the context of the authenticated user. Because the authentication token is stored in localStorage, it is accessible via JavaScript and can be retrieved by a malicious payload. Version 2.0.0 patches this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7jp5-298q-jg98security-advisories@github.com
N/A
https://github.com/user-attachments/files/25414870/Stored.XSS.Proof.of.concept.pdfsecurity-advisories@github.com
N/A
https://vikunja.io/changelog/vikunja-v2.0.0-was-releasedsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7jp5-298q-jg98
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/user-attachments/files/25414870/Stored.XSS.Proof.of.concept.pdf
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://vikunja.io/changelog/vikunja-v2.0.0-was-released
Source: security-advisories@github.com
Resource: N/A
Change History
0Changes found
Details not found