Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.2

Vikunja Task Manager: Malicious ZIP Can Overwrite System Files

CVE-2026-27819 GHSA-42wg-38gx-85rh GHSA-42wg-38gx-85rh
Summary

A security issue in Vikunja's restore feature allows a malicious ZIP file to potentially overwrite important system files. This could lead to data loss or system compromise. Update to version 2.0.0 or later to fix the issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
code.vikunja.io api <= 0.24.6
vikunja vikunja <= 2.0.0
api code.vikunja.io/api <= 0.24.6
Original title
Vikunja has Path Traversal in CLI Restore
Original description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.
nvd CVSS3.1 7.2
Vulnerability type
CWE-22 Path Traversal
CWE-248
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026