CVE-2026-27116

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0

Description Vikunja, a self-hosted task management platform, has a reflected HTML injection issue in the Projects module. The filter URL parameter is rendered into the DOM without proper output encoding when a user clicks "Filter." While <script> and <iframe> tags are blocked, tags like <svg>, <a>, <h1>, <b>, and <u> are rendered without restriction. This allows for SVG-based phishing buttons, external redirect links, and content spoofing within the application. The vulnerability is triggered by a crafted project filter link shared by an attacker, which, when opened by a victim and followed by a click on the "Filter" button, renders malicious content within the trusted Vikunja interface. The vulnerable component is located at the /projects/-1/-1?filter=PAYLOAD&page=1 API endpoint, with the filter parameter being the vulnerable variable. The issue stems from the use of v-html or innerHTML which inserts the filter parameter as raw HTML without encoding.

Recommendations Versions prior to 2.0.0: Replace v-html with v-text or {{ }} interpolation to auto-escape HTML. Versions prior to 2.0.0: HTML entity encode the filter value at the rendering point. Versions prior to 2.0.0: Replace the denylist with a DOMPurify strict allowlist or eliminate HTML rendering of filter values. Versions prior to 2.0.0: Deploy a Content Security Policy (CSP) with form-action 'self'. Versions prior to 2.0.0: Implement server-side input validation to reject filter values that do not match the expected syntax.