Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded JavaScript executes in the context of the authenticated user. Because the authentication token is stored in localStorage, it is accessible via JavaScript and can be retrieved by a malicious payload. Version 2.0.0 patches this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja before 2.0.0 allows stored XSS via unsanitized SVG uploads, enabling theft of localStorage auth tokens.
Vulnerability
Vikunja, an open-source task management platform, fails to sanitize SVG files uploaded as task attachments. SVG supports JavaScript execution through ` tags or event handlers like onload`. The application stores these files without validation, and when accessed via direct URL, they render inline under the application's origin, allowing embedded scripts to execute in the authenticated user's browser context [1][3].
Exploitation
An authenticated attacker can upload a malicious SVG containing JavaScript that accesses localStorage.getItem('token') to retrieve the authentication token. When another user (or the attacker themselves) opens the attachment URL, the script runs immediately, exposing the token. No additional user interaction is required beyond viewing the attachment [3].
Impact
Successful exploitation leads to account takeover, as the attacker can use the stolen token to perform authenticated actions on behalf of the victim. This could include privilege escalation if the victim has higher privileges [3].
Mitigation
The issue is patched in Vikunja version 2.0.0, which includes major security improvements to session authentication and SVG handling [2][4]. Users are urged to upgrade immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 0.24.6 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7jp5-298q-jg98ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27616ghsaADVISORY
- github.com/go-vikunja/vikunja/releases/tag/v2.0.0ghsaWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-7jp5-298q-jg98ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.0.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.