CVE-2026-27616: Vikunja's Vector of Doom: Stored XSS via SVG

Vikunja's Vector of Doom: Stored XSS via SVG

Vulnerability ID: CVE-2026-27616
CVSS Score: 7.3
Published: 2026-02-25

A critical Stored Cross-Site Scripting (XSS) vulnerability in Vikunja allows attackers to hijack sessions via malicious SVG attachments. By exploiting loose MIME type handling and inline rendering, an attacker can turn a simple task list into a weaponized payload delivery system.

TL;DR

Vikunja versions prior to 2.0.0 failed to sanitize SVG uploads or enforce download headers. This allows authenticated users to upload malicious SVG files containing JavaScript. When a victim views the file, the script executes in their session context, leading to immediate account takeover.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-79 (Stored XSS)
• CVSS: 7.3 (High)
• Attack Vector: Network
• Privileges: Low (Authenticated)
• User Interaction: Required (Click link)
• Exploit Maturity: PoC Available

Affected Systems

• Vikunja (Self-Hosted)
• Vikunja: < 2.0.0 (Fixed in: 2.0.0)

Exploit Details

• GHSA: Advisory containing PoC payload structure.

Mitigation Strategies

• Strict MIME type validation on all file uploads.
• Enforce 'Content-Disposition: attachment' for all user-generated content.
• Content Security Policy (CSP) to restrict where scripts can execute.

Remediation Steps:

1. Upgrade Vikunja to version 2.0.0 or later immediately.
2. Run the vikunja repair file-mime-types command on the server CLI to fix existing file metadata.
3. Invalidate existing user sessions if compromise is suspected.

References

• GHSA-7jp5-298q-jg98

---

Read the full report for CVE-2026-27616 on our website for more details including interactive diagrams and full exploit analysis.