FKIE_CVE-2026-27819

Vulnerability from fkie_nvd - Published: 2026-02-25 22:16 - Updated: 2026-02-27 14:06
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.
References
security-advisories@github.comhttps://github.com/go-vikunja/vikunja/security/advisories/GHSA-42wg-38gx-85rh
security-advisories@github.comhttps://vikunja.io/changelog/vikunja-v2.0.0-was-released
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we\u2019ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a \"minimalist\" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. Antes de la versi\u00f3n 2.0.0, la funci\u00f3n restoreConfig en vikunja/pkg/modules/dump/restore.go del repositorio go-vikunja/vikunja no logra sanear las rutas de archivo dentro del archivo ZIP proporcionado. Un ZIP creado maliciosamente puede eludir el directorio de extracci\u00f3n previsto para sobrescribir archivos arbitrarios en el sistema anfitri\u00f3n. Adem\u00e1s, hemos descubierto que un archivo malformado desencadena un p\u00e1nico en tiempo de ejecuci\u00f3n, bloqueando el proceso inmediatamente despu\u00e9s de que la base de datos haya sido borrada permanentemente. La aplicaci\u00f3n conf\u00eda en los metadatos del archivo ZIP. Utiliza el atributo Name de la estructura zip.File directamente en las llamadas a os.OpenFile sin validaci\u00f3n, permitiendo que los archivos se escriban fuera del directorio previsto. La l\u00f3gica de restauraci\u00f3n asume una estructura de directorio espec\u00edfica dentro del ZIP. Cuando se le proporciona un ZIP malicioso \u0027minimalista\u0027, la aplicaci\u00f3n no logra validar la longitud de las \u0027slices\u0027 derivadas del contenido del archivo. Espec\u00edficamente, en la l\u00ednea 154, el c\u00f3digo intenta acceder a un \u00edndice de len(ms)-2 en una \u0027slice\u0027 insuficientemente poblada, desencadenando un p\u00e1nico. La versi\u00f3n 2.0.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-27819",
  "lastModified": "2026-02-27T14:06:59.787",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T22:16:27.127",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-42wg-38gx-85rh"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://vikunja.io/changelog/vikunja-v2.0.0-was-released"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-248"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.