CVE-2026-27616

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0

Description Vikunja, a self-hosted task management platform, does not sanitize SVG files uploaded as task attachments. This allows for the inclusion of JavaScript code within the SVG file, which executes when the file is accessed through a direct URL. The JavaScript can access the user's authentication token, stored in localStorage, potentially leading to account takeover. The application renders SVG attachments inline instead of forcing a download, enabling the execution of embedded JavaScript. The vulnerability is classified as Stored Cross-Site Scripting (XSS). A malicious SVG attachment can affect any authenticated user who accesses it, potentially allowing an attacker to execute arbitrary JavaScript, expose authentication tokens, perform actions on behalf of the victim, and potentially escalate privileges.

Recommendations Versions prior to 2.0.0 should be updated to version 2.0.0 or later. Sanitize all uploaded SVG files to remove potentially executable content such as <script> elements and event handlers. Serve attachments with Content-Disposition: attachment to prevent inline rendering. Implement a strict Content Security Policy (CSP) to block script execution within uploaded files. Store authentication tokens in HttpOnly, Secure cookies instead of localStorage.