Vikunja Security Bulletin: 4 Critical Fixes (Path Traversal, XSS, HTML Injection, Weak Password Policy)

Critical Vulnerability Information Security Updates Includes four critical security fixes, each with a CVE identifier. Please update as soon as possible. Vulnerability Details 1. Denial of Service via Path Traversal and CLI Restore (CVE-2026-27819) - The command in the Vikunja CLI did not properly validate file paths within archives. - Crafted ZIP files could write files to unintended locations on the server, overwriting critical data. - If the existing database was cleared, a malformed archive could result in total data loss. - Fixed by implementing proper sanitization and validation. 2. Weak Password Policy and Persistent Sessions After Password Change (CVE-2026-27575) - Although Vikunja enforces a minimum password length of 8 characters during registration, it accepted very weak passwords when changing passwords. - After a password change, all previously active sessions remained valid, allowing attackers with compromised accounts to maintain access. - Fixed by enforcing minimum password strength requirements and invalidating all existing sessions upon password change. 3. Stored Cross-Site Scripting (XSS) via SVG Attachment Upload (CVE-2026-27616) - SVG images were allowed as task attachments without sanitizing their content. - Attackers could upload malicious SVG files containing embedded JavaScript, triggering a race condition that allowed browsers to render the SVG and execute the malicious code. - Fixed by properly setting the content type for attachments, preventing them from being rendered inline by the browser. 4. HTML Injection via Reflected Filter Parameters (CVE-2026-27116) - The URL parameter in the project view was rendered as raw HTML instead of plain text. - Attackers could inject SVG elements, links, and formatted text into the page. By leveraging shared project links, the injected content would appear within the trusted Vikunja interface when recipients opened the link and clicked the "Filter" button. - Fixed by replacing raw HTML rendering with properly escaped text output.

Goal Reached Thanks to every supporter — we hit 100%!

Vikunja Security Bulletin: 4 Critical Fixes (Path Traversal, XSS, HTML Injection, Weak Password Policy)