DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27116: Vikunja HTML Injection: When a 'Filter' Becomes a Phishing Hook

#security #cve #cybersecurity

Vikunja HTML Injection: When a 'Filter' Becomes a Phishing Hook

Vulnerability ID: CVE-2026-27116
CVSS Score: 6.1
Published: 2026-02-25

A Reflected HTML Injection vulnerability in the Vikunja task management platform allows attackers to inject arbitrary HTML tags into the application's DOM via the filter parameter. By exploiting the way the TipTap editor parses string content, attackers can craft convincing phishing scenarios or redirect users to malicious sites, all under the guise of a trusted application URL.

TL;DR

Vikunja < 2.0.0 improperly handles the filter URL parameter when initializing the TipTap text editor. By passing a raw string to the editor's setContent method, the application inadvertently triggers HTML parsing. This allows attackers to inject specific HTML tags (like <a>, <svg>, <h1>), bypassing some sanitization, to conduct high-confidence phishing attacks or content spoofing.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 6.1 (Medium)
  • Impact: Content Spoofing / Phishing
  • Vulnerability: Reflected HTML Injection
  • Component: FilterInput.vue / TipTap Editor

Affected Systems

  • Vikunja (Self-hosted)
  • Vikunja Frontend
  • Vikunja: < 2.0.0 (Fixed in: 2.0.0)

Code Analysis

Commit: a42b4f3

Fix: Use JSON content format instead of a plain string to prevent TipTap from parsing the value as HTML

- editor.value.commands.setContent(content, { emitUpdate: false })
+ editor.value.commands.setContent(content ? { type: 'doc', content: [{ type: 'paragraph', content: [{ type: 'text', text: content }] }] } : '', { emitUpdate: false })
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Exploit involves crafting a URL with HTML tags in the 'filter' query parameter.

Mitigation Strategies

  • Input Sanitization Bypass Prevention
  • Structured Data Handling
  • Strict Content Security Policy (CSP)

Remediation Steps:

  1. Upgrade Vikunja to version 2.0.0 or later immediately.
  2. If you are a developer using TipTap/ProseMirror, avoid passing raw strings to setContent(). Always construct a JSON node structure.
  3. Implement WAF rules to detect HTML tags in query parameters (e.g., filter parameter).

References

Read the full report for CVE-2026-27116 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)