CVE-2026-27116 is a reflected cross-site scripting (XSS) vulnerability identified in the open-source, self-hosted task management platform Vikunja, specifically in versions prior to 2.0.0. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the 'filter' URL parameter in the Projects module is rendered directly into the Document Object Model (DOM) without adequate output encoding or sanitization. When a user clicks the 'Filter' button, the application injects this parameter into the page, allowing an attacker to craft malicious payloads. Although the application blocks potentially dangerous tags such as <script> and <iframe>, it permits other HTML elements like <svg>, <a>, and formatting tags (<h1>, <b>, <u>) without restriction. This partial filtering enables attackers to embed SVG-based phishing buttons that can mimic legitimate UI controls, insert external redirect links to malicious sites, and spoof content within the trusted origin of the application. Such attacks can deceive users into performing unintended actions, potentially leading to credential theft, session hijacking, or redirection to malicious domains. The vulnerability does not require authentication or privileges but does require user interaction to trigger the malicious payload. The vulnerability has a CVSS v3.1 base score of 6.1, indicating medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The issue was publicly disclosed on February 25, 2026, and fixed in Vikunja version 2.0.0. No known exploits have been reported in the wild to date.

This vulnerability can have significant impacts on organizations using Vikunja versions prior to 2.0.0. Successful exploitation allows attackers to execute reflected XSS attacks, which can lead to phishing within the trusted application context, theft of user credentials or session tokens, and manipulation of displayed content to mislead users. This undermines user trust and can facilitate further attacks such as account takeover or lateral movement within an organization. Since Vikunja is a task management platform often used for collaboration and project tracking, compromise of user accounts or data integrity can disrupt business operations and leak sensitive project information. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users may be less security-aware. The lack of availability impact means systems remain operational, but confidentiality and integrity are at risk. Organizations relying on self-hosted Vikunja instances must consider the risk of targeted phishing campaigns leveraging this vulnerability.

Organizations should upgrade all Vikunja instances to version 2.0.0 or later, where this vulnerability is fixed. Until upgrading is possible, administrators should implement strict input validation and output encoding on the 'filter' parameter to prevent injection of malicious HTML elements. Employing Content Security Policy (CSP) headers can help mitigate the impact by restricting the execution of injected content and blocking unauthorized external resource loading. User education is critical to reduce the risk of falling victim to phishing attempts exploiting this vulnerability. Additionally, monitoring web server logs for suspicious URL parameters and unusual user activity can help detect attempted exploitation. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block malicious payloads targeting the vulnerable parameter. Finally, organizations should review and harden their overall web application security posture, including regular vulnerability scanning and patch management.