Vikunja has Reflected HTML Injection via filter Parameter in Projects Module
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While ` and are blocked, , , and formatting tags (, , `) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected HTML injection in Vikunja Projects module allows phishing via crafted filter parameter; fixed in version 2.0.0.
Vulnerability
Details
A reflected HTML injection vulnerability exists in Vikunja's Projects module. The filter URL parameter is rendered into the DOM without proper output encoding when a user clicks the "Filter" button. While ` and tags are blocked, other tags such as , , , , and ` are allowed without restriction, enabling content injection within the trusted application origin [2][3].
Exploitation
An attacker can craft a malicious link containing a payload in the filter parameter (e.g., /projects/-1/-1?filter=PAYLOAD&page=1) and share it with a victim. When the victim opens the link and clicks "Filter", the payload renders in the UI. The attack requires no special privileges beyond the victim being a Vikunja user [3].
Impact
The attacker can display arbitrary HTML content, including SVG-based phishing buttons that mimic legitimate UI elements, external redirect links, and content spoofing. This can lead to credential theft or redirection to malicious sites, as the content appears within the trusted Vikunja domain [3].
Mitigation
The vulnerability is fixed in Vikunja version 2.0.0. Users are strongly advised to update to this version immediately [1][2]. No workarounds are available for earlier releases.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 0.24.6 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.0.0
Patches
1a42b4f37bde5fix: prevent reflected HTML injection via filter URL parameter
1 file changed · +21 −6
frontend/src/components/input/filter/FilterInput.vue+21 −6 modified@@ -170,9 +170,18 @@ function setEditorContentFromModelValue(newValue: string | undefined) { // Preserve cursor position before updating content const currentPosition = editor.value.state.selection.from - editor.value.commands.setContent(content, { - emitUpdate: false, - }) + // Use JSON content format instead of a plain string to prevent + // TipTap from parsing the value as HTML (reflected HTML injection + // via the ?filter= URL parameter). + editor.value.commands.setContent(content + ? { + type: 'doc', + content: [{ + type: 'paragraph', + content: [{type: 'text', text: content}], + }], + } + : '', {emitUpdate: false}) // Restore cursor position after content update // Ensure position is within the new content bounds @@ -190,9 +199,15 @@ function updateDateInQuery(newDate: string | Date | null) { const newText = currentText.replace(currentOldDatepickerValue.value, dateStr) currentOldDatepickerValue.value = dateStr - editor.value.commands.setContent(newText, { - emitUpdate: false, - }) + editor.value.commands.setContent(newText + ? { + type: 'doc', + content: [{ + type: 'paragraph', + content: [{type: 'text', text: newText}], + }], + } + : '', {emitUpdate: false}) const processed = processContent(newText) lastEmittedValue = processed emit('update:modelValue', processed)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4qgr-4h56-8895ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27116ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Scripting_Prevention_Cheat_Sheet.htmlghsaWEB
- github.com/go-vikunja/vikunja/commit/a42b4f37bde58596a3b69482cd5a67641a94f62dghsaWEB
- github.com/go-vikunja/vikunja/releases/tag/v2.0.0ghsaWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-4qgr-4h56-8895ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.0.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.