Stored Cross-Site Scripting Vulnerability in Vikunja Task Management Platform
CVE-2026-27616

7.3HIGH

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27616?

Vikunja is an open-source task management platform that, prior to version 2.0.0, allowed users to upload SVG files as task attachments. These SVG files, which use XML and can contain executable JavaScript, were not properly sanitized by the application before storage. When accessed, the SVG files would render inline within the user's browser under the application's domain, executing any embedded JavaScript with the privileges of the authenticated user. This flaw exposes the authentication token, stored in localStorage, to potential theft via malicious code in the uploaded SVG files. This vulnerability was addressed in version 2.0.0 of Vikunja.

Affected Version(s)

vikunja < 2.0.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/user-attachments/files/25414870/Stored...
x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.0.0-was-released
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.