CVE-2026-27616
Published: 25 February 2026
Summary
CVE-2026-27616 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2026-27616 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Vikunja, an open-source self-hosted task management platform. Prior to version 2.0.0, Vikunja permits users to upload SVG files as task attachments without sanitizing their content. SVG, an XML-based format, supports JavaScript execution through elements like <script> tags or event handlers such as onload. When an uploaded SVG is accessed via its direct URL, it renders inline in the browser under the application's origin, allowing embedded JavaScript to execute in the context of the authenticated user. The vulnerability was published on 2026-02-25 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L), such as any authenticated user, can exploit this by uploading a malicious SVG file containing JavaScript payloads as a task attachment. Exploitation requires a victim user (also authenticated) to interact by accessing the SVG's direct URL (UI:R), at which point the JavaScript executes in the victim's browser session. This grants access to the victim's authentication token stored in localStorage, enabling the attacker to exfiltrate it and potentially impersonate the victim for further actions, resulting in high confidentiality and integrity impacts.
The official GitHub security advisory (GHSA-7jp5-298q-jg98) documents the issue, including a proof-of-concept in an attached PDF. Vikunja's changelog confirms that version 2.0.0 patches the vulnerability by addressing SVG content sanitization during uploads. Security practitioners should advise upgrading to version 2.0.0 or later to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8752
Vulnerability details
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as <script> tags or event…
more
handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded JavaScript executes in the context of the authenticated user. Because the authentication token is stored in localStorage, it is accessible via JavaScript and can be retrieved by a malicious payload. Version 2.0.0 patches this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unsanitized SVG upload directly enables arbitrary JavaScript execution (T1059.007) in victim browser context and subsequent theft of application access tokens from localStorage (T1528), facilitating session hijacking (T1185) and account impersonation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user-supplied SVG attachments to block embedded script elements and event handlers before storage.
Requires filtering of information returned to users so that malicious SVG content cannot execute scripts when rendered inline under the application origin.
Restricts execution of mobile code (JavaScript inside SVG) delivered via user uploads, preventing token exfiltration from localStorage.