File Overwrite Vulnerability in Vikunja Task Management Platform
CVE-2026-27819

7.2HIGH

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27819?

Vikunja, an open-source self-hosted task management platform, has a security flaw in the restoreConfig function that fails to properly sanitize file paths within the provided ZIP archives, allowing malicious actors to bypass the intended extraction directory. This oversight can lead to arbitrary file overwrites on the host system. Furthermore, a specially crafted ZIP can trigger a runtime panic, causing the application to crash immediately after potentially wiping the database. The vulnerability arises because the application trusts file metadata in the ZIP archive and does not validate the extraction paths appropriately. This issue was rectified in version 2.0.0.

Affected Version(s)

vikunja < 2.0.0

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.0.0-was-released

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27819 Data

JSON

Go-vikunja

What is CVE-2026-27819?

Affected Version(s)

References

CVSS V3.1

Timeline