CVE-2026-27116
📋 TL;DR
Vikunja versions before 2.0.0 have a reflected HTML injection vulnerability in the Projects module's filter parameter. This allows attackers to inject malicious HTML elements like SVG phishing buttons and redirect links that render within the trusted application context. Self-hosted Vikunja instances running vulnerable versions are affected.
💻 Affected Systems
- Vikunja
📦 What is this software?
Vikunja by Vikunja
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create convincing phishing interfaces within the legitimate Vikunja application, tricking users into entering credentials or clicking malicious links that redirect to external malicious sites.
Likely Case
Phishing attacks where attackers craft malicious filter URLs containing SVG-based fake buttons or redirect links that appear legitimate within the Vikunja interface.
If Mitigated
With proper user awareness training and URL filtering, the impact is limited to visual content spoofing without data compromise.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but no authentication. Attack vectors include phishing emails or malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895
Restart Required: Yes
Instructions:
1. Backup your Vikunja data and configuration. 2. Stop the Vikunja service. 3. Update to version 2.0.0 using your deployment method (Docker, binary, package manager). 4. Restart the Vikunja service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block or sanitize HTML tags in URL parameters, particularly targeting <svg>, <a>, and formatting tags in filter parameters.
Reverse Proxy Filtering
linuxConfigure reverse proxy (nginx, Apache) to strip or encode HTML tags from URL parameters before they reach the Vikunja application.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict inline scripts and external resources
- Deploy network-level URL filtering to block malicious URLs containing HTML tags in parameters
🔍 How to Verify
Check if Vulnerable:
Check if your Vikunja version is below 2.0.0 by visiting the About page in the web interface or checking the deployment configuration.Check Version:
docker inspect vikunja/vikunja | grep VERSION or check web interface About pageVerify Fix Applied:
After updating to 2.0.0, test by attempting to inject HTML tags in the filter parameter (e.g., ?filter=<svg>test</svg>) and verify they are properly encoded/escaped in the response.📡 Detection & Monitoring
Log Indicators:
- URL requests containing HTML tags in filter parameter
- Unusual filter parameter values with <svg>, <a>, or formatting tags
Network Indicators:
- HTTP requests with HTML-encoded characters in URL parameters
- Multiple failed filter parameter validation attempts
SIEM Query:
url:*filter=*<* AND (url:*<svg* OR url:*<a* OR url:*<h1* OR url:*<b* OR url:*<u*)