CVE-2026-27616
Published: 25 February 2026
Summary
CVE-2026-27616 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unsanitized SVG upload directly enables arbitrary JavaScript execution (T1059.007) in victim browser context and subsequent theft of application access tokens from localStorage (T1528), facilitating session hijacking (T1185) and account impersonation.
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as <script> tags or event…
more
handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded JavaScript executes in the context of the authenticated user. Because the authentication token is stored in localStorage, it is accessible via JavaScript and can be retrieved by a malicious payload. Version 2.0.0 patches this issue.
Deeper analysisAI
CVE-2026-27616 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Vikunja, an open-source self-hosted task management platform. Prior to version 2.0.0, Vikunja permits users to upload SVG files as task attachments without sanitizing their content. SVG, an XML-based format, supports JavaScript execution through elements like <script> tags or event handlers such as onload. When an uploaded SVG is accessed via its direct URL, it renders inline in the browser under the application's origin, allowing embedded JavaScript to execute in the context of the authenticated user. The vulnerability was published on 2026-02-25 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L), such as any authenticated user, can exploit this by uploading a malicious SVG file containing JavaScript payloads as a task attachment. Exploitation requires a victim user (also authenticated) to interact by accessing the SVG's direct URL (UI:R), at which point the JavaScript executes in the victim's browser session. This grants access to the victim's authentication token stored in localStorage, enabling the attacker to exfiltrate it and potentially impersonate the victim for further actions, resulting in high confidentiality and integrity impacts.
The official GitHub security advisory (GHSA-7jp5-298q-jg98) documents the issue, including a proof-of-concept in an attached PDF. Vikunja's changelog confirms that version 2.0.0 patches the vulnerability by addressing SVG content sanitization during uploads. Security practitioners should advise upgrading to version 2.0.0 or later to mitigate the risk.
Details
- CWE(s)