CVE-2026-27819

EPSS 0.06%
Veröffentlicht 25.02.2026 21:40:38
Zuletzt bearbeitet 27.02.2026 14:06:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellergo-vikunja

≫

Produkt vikunja

Version < 2.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.19

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://vikunja.io/changelog/vikunja-v2.0.0-was-released

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-42wg-38gx-85rh

https://nvd.nist.gov/vuln/detail/CVE-2026-27819

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27819

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27819

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27819